From 77a5062ee8c2c5458236cec22c37af970ce8db15 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 31 Oct 2022 11:49:54 -0400 Subject: [PATCH 001/100] fresh conversion of controls using new SV id Signed-off-by: HackerShark --- controls/SV-238196.rb | 55 ++++++++++++ controls/SV-238197.rb | 99 ++++++++++++++++++++++ controls/SV-238198.rb | 123 +++++++++++++++++++++++++++ controls/SV-238199.rb | 56 +++++++++++++ controls/SV-238200.rb | 37 ++++++++ controls/SV-238201.rb | 34 ++++++++ controls/SV-238202.rb | 35 ++++++++ controls/SV-238203.rb | 34 ++++++++ controls/SV-238204.rb | 71 ++++++++++++++++ controls/SV-238205.rb | 43 ++++++++++ controls/SV-238206.rb | 51 ++++++++++++ controls/SV-238207.rb | 68 +++++++++++++++ controls/SV-238208.rb | 33 ++++++++ controls/SV-238209.rb | 40 +++++++++ controls/SV-238210.rb | 73 ++++++++++++++++ controls/SV-238211.rb | 45 ++++++++++ controls/SV-238212.rb | 63 ++++++++++++++ controls/SV-238213.rb | 56 +++++++++++++ controls/SV-238214.rb | 161 +++++++++++++++++++++++++++++++++++ controls/SV-238215.rb | 72 ++++++++++++++++ controls/SV-238216.rb | 66 +++++++++++++++ controls/SV-238217.rb | 72 ++++++++++++++++ controls/SV-238218.rb | 44 ++++++++++ controls/SV-238219.rb | 52 ++++++++++++ controls/SV-238220.rb | 47 +++++++++++ controls/SV-238221.rb | 39 +++++++++ controls/SV-238222.rb | 39 +++++++++ controls/SV-238223.rb | 42 ++++++++++ controls/SV-238224.rb | 46 ++++++++++ controls/SV-238225.rb | 38 +++++++++ controls/SV-238226.rb | 42 ++++++++++ controls/SV-238227.rb | 34 ++++++++ controls/SV-238228.rb | 79 ++++++++++++++++++ controls/SV-238229.rb | 69 +++++++++++++++ controls/SV-238230.rb | 55 ++++++++++++ controls/SV-238231.rb | 41 +++++++++ controls/SV-238232.rb | 41 +++++++++ controls/SV-238233.rb | 44 ++++++++++ controls/SV-238234.rb | 41 +++++++++ controls/SV-238235.rb | 75 +++++++++++++++++ controls/SV-238236.rb | 76 +++++++++++++++++ controls/SV-238237.rb | 35 ++++++++ controls/SV-238238.rb | 56 +++++++++++++ controls/SV-238239.rb | 56 +++++++++++++ controls/SV-238240.rb | 56 +++++++++++++ controls/SV-238241.rb | 56 +++++++++++++ controls/SV-238242.rb | 56 +++++++++++++ controls/SV-238243.rb | 56 +++++++++++++ controls/SV-238244.rb | 59 +++++++++++++ controls/SV-238245.rb | 57 +++++++++++++ controls/SV-238246.rb | 56 +++++++++++++ controls/SV-238247.rb | 60 +++++++++++++ controls/SV-238248.rb | 62 ++++++++++++++ controls/SV-238249.rb | 56 +++++++++++++ controls/SV-238250.rb | 66 +++++++++++++++ controls/SV-238251.rb | 56 +++++++++++++ controls/SV-238252.rb | 52 ++++++++++++ controls/SV-238253.rb | 52 ++++++++++++ controls/SV-238254.rb | 52 ++++++++++++ controls/SV-238255.rb | 52 ++++++++++++ controls/SV-238256.rb | 52 ++++++++++++ controls/SV-238257.rb | 53 ++++++++++++ controls/SV-238258.rb | 88 +++++++++++++++++++ controls/SV-238264.rb | 73 ++++++++++++++++ controls/SV-238268.rb | 72 ++++++++++++++++ controls/SV-238271.rb | 89 ++++++++++++++++++++ controls/SV-238277.rb | 51 ++++++++++++ controls/SV-238278.rb | 52 ++++++++++++ controls/SV-238279.rb | 52 ++++++++++++ controls/SV-238280.rb | 52 ++++++++++++ controls/SV-238281.rb | 52 ++++++++++++ controls/SV-238282.rb | 52 ++++++++++++ controls/SV-238283.rb | 52 ++++++++++++ controls/SV-238284.rb | 52 ++++++++++++ controls/SV-238285.rb | 53 ++++++++++++ controls/SV-238286.rb | 53 ++++++++++++ controls/SV-238287.rb | 53 ++++++++++++ controls/SV-238288.rb | 52 ++++++++++++ controls/SV-238289.rb | 52 ++++++++++++ controls/SV-238290.rb | 52 ++++++++++++ controls/SV-238291.rb | 52 ++++++++++++ controls/SV-238292.rb | 52 ++++++++++++ controls/SV-238293.rb | 52 ++++++++++++ controls/SV-238294.rb | 54 ++++++++++++ controls/SV-238295.rb | 73 ++++++++++++++++ controls/SV-238297.rb | 65 +++++++++++++++ controls/SV-238298.rb | 87 +++++++++++++++++++ controls/SV-238299.rb | 41 +++++++++ controls/SV-238300.rb | 57 +++++++++++++ controls/SV-238301.rb | 57 +++++++++++++ controls/SV-238302.rb | 58 +++++++++++++ controls/SV-238303.rb | 73 ++++++++++++++++ controls/SV-238304.rb | 74 ++++++++++++++++ controls/SV-238305.rb | 76 +++++++++++++++++ controls/SV-238306.rb | 83 ++++++++++++++++++ controls/SV-238307.rb | 74 ++++++++++++++++ controls/SV-238308.rb | 33 ++++++++ controls/SV-238309.rb | 66 +++++++++++++++ controls/SV-238310.rb | 71 ++++++++++++++++ controls/SV-238315.rb | 49 +++++++++++ controls/SV-238316.rb | 49 +++++++++++ controls/SV-238317.rb | 49 +++++++++++ controls/SV-238318.rb | 47 +++++++++++ controls/SV-238319.rb | 50 +++++++++++ controls/SV-238320.rb | 50 +++++++++++ controls/SV-238321.rb | 42 ++++++++++ controls/SV-238323.rb | 44 ++++++++++ controls/SV-238324.rb | 54 ++++++++++++ controls/SV-238325.rb | 38 +++++++++ controls/SV-238326.rb | 27 ++++++ controls/SV-238327.rb | 39 +++++++++ controls/SV-238328.rb | 82 ++++++++++++++++++ controls/SV-238329.rb | 51 ++++++++++++ controls/SV-238330.rb | 46 ++++++++++ controls/SV-238331.rb | 47 +++++++++++ controls/SV-238332.rb | 49 +++++++++++ controls/SV-238333.rb | 51 ++++++++++++ controls/SV-238334.rb | 38 +++++++++ controls/SV-238335.rb | 70 ++++++++++++++++ controls/SV-238336.rb | 48 +++++++++++ controls/SV-238337.rb | 41 +++++++++ controls/SV-238338.rb | 37 ++++++++ controls/SV-238339.rb | 36 ++++++++ controls/SV-238340.rb | 38 +++++++++ controls/SV-238341.rb | 38 +++++++++ controls/SV-238342.rb | 37 ++++++++ controls/SV-238343.rb | 39 +++++++++ controls/SV-238344.rb | 52 ++++++++++++ controls/SV-238345.rb | 51 ++++++++++++ controls/SV-238346.rb | 52 ++++++++++++ controls/SV-238347.rb | 38 +++++++++ controls/SV-238348.rb | 37 ++++++++ controls/SV-238349.rb | 37 ++++++++ controls/SV-238350.rb | 37 ++++++++ controls/SV-238351.rb | 38 +++++++++ controls/SV-238352.rb | 37 ++++++++ controls/SV-238353.rb | 66 +++++++++++++++ controls/SV-238354.rb | 46 ++++++++++ controls/SV-238355.rb | 54 ++++++++++++ controls/SV-238356.rb | 74 ++++++++++++++++ controls/SV-238357.rb | 54 ++++++++++++ controls/SV-238358.rb | 46 ++++++++++ controls/SV-238359.rb | 58 +++++++++++++ controls/SV-238360.rb | 73 ++++++++++++++++ controls/SV-238361.rb | 40 +++++++++ controls/SV-238362.rb | 40 +++++++++ controls/SV-238363.rb | 42 ++++++++++ controls/SV-238364.rb | 55 ++++++++++++ controls/SV-238365.rb | 69 +++++++++++++++ controls/SV-238366.rb | 69 +++++++++++++++ controls/SV-238367.rb | 77 +++++++++++++++++ controls/SV-238368.rb | 44 ++++++++++ controls/SV-238369.rb | 58 +++++++++++++ controls/SV-238370.rb | 42 ++++++++++ controls/SV-238371.rb | 44 ++++++++++ controls/SV-238372.rb | 43 ++++++++++ controls/SV-238373.rb | 43 ++++++++++ controls/SV-238374.rb | 40 +++++++++ controls/SV-238376.rb | 48 +++++++++++ controls/SV-238377.rb | 48 +++++++++++ controls/SV-238378.rb | 49 +++++++++++ controls/SV-238379.rb | 48 +++++++++++ controls/SV-238380.rb | 45 ++++++++++ controls/SV-251503.rb | 31 +++++++ controls/SV-251504.rb | 32 +++++++ controls/SV-251505.rb | 54 ++++++++++++ controls/SV-252704.rb | 77 +++++++++++++++++ controls/V-238196.rb | 77 ----------------- controls/V-238197.rb | 111 ------------------------ controls/V-238198.rb | 145 -------------------------------- controls/V-238199.rb | 73 ---------------- controls/V-238200.rb | 50 ----------- controls/V-238201.rb | 55 ------------ controls/V-238202.rb | 47 ----------- controls/V-238203.rb | 46 ---------- controls/V-238204.rb | 79 ------------------ controls/V-238205.rb | 60 ------------- controls/V-238206.rb | 80 ------------------ controls/V-238207.rb | 84 ------------------- controls/V-238208.rb | 42 ---------- controls/V-238209.rb | 53 ------------ controls/V-238210.rb | 84 ------------------- controls/V-238211.rb | 53 ------------ controls/V-238212.rb | 70 ---------------- controls/V-238213.rb | 66 --------------- controls/V-238214.rb | 190 ------------------------------------------ controls/V-238215.rb | 96 --------------------- controls/V-238216.rb | 80 ------------------ controls/V-238217.rb | 84 ------------------- controls/V-238218.rb | 50 ----------- controls/V-238219.rb | 61 -------------- controls/V-238220.rb | 55 ------------ controls/V-238221.rb | 61 -------------- controls/V-238222.rb | 61 -------------- controls/V-238223.rb | 64 -------------- controls/V-238224.rb | 68 --------------- controls/V-238225.rb | 61 -------------- controls/V-238226.rb | 63 -------------- controls/V-238227.rb | 56 ------------- controls/V-238228.rb | 90 -------------------- controls/V-238229.rb | 90 -------------------- controls/V-238230.rb | 67 --------------- controls/V-238231.rb | 50 ----------- controls/V-238232.rb | 60 ------------- controls/V-238233.rb | 69 --------------- controls/V-238234.rb | 58 ------------- controls/V-238235.rb | 61 -------------- controls/V-238236.rb | 80 ------------------ controls/V-238237.rb | 55 ------------ controls/V-238238.rb | 90 -------------------- controls/V-238239.rb | 89 -------------------- controls/V-238240.rb | 89 -------------------- controls/V-238241.rb | 88 ------------------- controls/V-238242.rb | 89 -------------------- controls/V-238243.rb | 68 --------------- controls/V-238244.rb | 69 --------------- controls/V-238245.rb | 73 ---------------- controls/V-238246.rb | 73 ---------------- controls/V-238247.rb | 92 -------------------- controls/V-238248.rb | 79 ------------------ controls/V-238249.rb | 72 ---------------- controls/V-238250.rb | 80 ------------------ controls/V-238251.rb | 72 ---------------- controls/V-238252.rb | 82 ------------------ controls/V-238253.rb | 82 ------------------ controls/V-238254.rb | 82 ------------------ controls/V-238255.rb | 82 ------------------ controls/V-238256.rb | 82 ------------------ controls/V-238257.rb | 82 ------------------ controls/V-238258.rb | 85 ------------------- controls/V-238259.rb | 85 ------------------- controls/V-238260.rb | 85 ------------------- controls/V-238261.rb | 86 ------------------- controls/V-238262.rb | 86 ------------------- controls/V-238263.rb | 86 ------------------- controls/V-238264.rb | 78 ----------------- controls/V-238265.rb | 80 ------------------ controls/V-238266.rb | 80 ------------------ controls/V-238267.rb | 78 ----------------- controls/V-238268.rb | 78 ----------------- controls/V-238269.rb | 78 ----------------- controls/V-238270.rb | 80 ------------------ controls/V-238271.rb | 101 ---------------------- controls/V-238272.rb | 100 ---------------------- controls/V-238273.rb | 101 ---------------------- controls/V-238274.rb | 101 ---------------------- controls/V-238275.rb | 101 ---------------------- controls/V-238276.rb | 101 ---------------------- controls/V-238277.rb | 80 ------------------ controls/V-238278.rb | 80 ------------------ controls/V-238279.rb | 80 ------------------ controls/V-238280.rb | 80 ------------------ controls/V-238281.rb | 80 ------------------ controls/V-238282.rb | 80 ------------------ controls/V-238283.rb | 80 ------------------ controls/V-238284.rb | 80 ------------------ controls/V-238285.rb | 83 ------------------ controls/V-238286.rb | 83 ------------------ controls/V-238287.rb | 83 ------------------ controls/V-238288.rb | 81 ------------------ controls/V-238289.rb | 80 ------------------ controls/V-238290.rb | 80 ------------------ controls/V-238291.rb | 80 ------------------ controls/V-238292.rb | 80 ------------------ controls/V-238293.rb | 80 ------------------ controls/V-238294.rb | 80 ------------------ controls/V-238295.rb | 81 ------------------ controls/V-238296.rb | 81 ------------------ controls/V-238297.rb | 78 ----------------- controls/V-238298.rb | 111 ------------------------ controls/V-238299.rb | 56 ------------- controls/V-238300.rb | 72 ---------------- controls/V-238301.rb | 71 ---------------- controls/V-238302.rb | 71 ---------------- controls/V-238303.rb | 109 ------------------------ controls/V-238304.rb | 91 -------------------- controls/V-238305.rb | 104 ----------------------- controls/V-238306.rb | 105 ----------------------- controls/V-238307.rb | 105 ----------------------- controls/V-238308.rb | 48 ----------- controls/V-238309.rb | 96 --------------------- controls/V-238310.rb | 76 ----------------- controls/V-238311.rb | 76 ----------------- controls/V-238312.rb | 76 ----------------- controls/V-238313.rb | 76 ----------------- controls/V-238314.rb | 74 ---------------- controls/V-238315.rb | 79 ------------------ controls/V-238316.rb | 79 ------------------ controls/V-238317.rb | 79 ------------------ controls/V-238318.rb | 76 ----------------- controls/V-238319.rb | 78 ----------------- controls/V-238320.rb | 78 ----------------- controls/V-238321.rb | 62 -------------- controls/V-238322.rb | 72 ---------------- controls/V-238323.rb | 54 ------------ controls/V-238324.rb | 75 ----------------- controls/V-238325.rb | 46 ---------- controls/V-238326.rb | 39 --------- controls/V-238327.rb | 51 ------------ controls/V-238328.rb | 96 --------------------- controls/V-238329.rb | 69 --------------- controls/V-238330.rb | 65 --------------- controls/V-238331.rb | 59 ------------- controls/V-238332.rb | 75 ----------------- controls/V-238333.rb | 59 ------------- controls/V-238334.rb | 59 ------------- controls/V-238335.rb | 74 ---------------- controls/V-238336.rb | 65 --------------- controls/V-238337.rb | 55 ------------ controls/V-238338.rb | 50 ----------- controls/V-238339.rb | 49 ----------- controls/V-238340.rb | 50 ----------- controls/V-238341.rb | 50 ----------- controls/V-238342.rb | 49 ----------- controls/V-238343.rb | 50 ----------- controls/V-238344.rb | 83 ------------------ controls/V-238345.rb | 81 ------------------ controls/V-238346.rb | 83 ------------------ controls/V-238347.rb | 67 --------------- controls/V-238348.rb | 65 --------------- controls/V-238349.rb | 65 --------------- controls/V-238350.rb | 64 -------------- controls/V-238351.rb | 65 --------------- controls/V-238352.rb | 65 --------------- controls/V-238353.rb | 75 ----------------- controls/V-238354.rb | 57 ------------- controls/V-238355.rb | 67 --------------- controls/V-238356.rb | 105 ----------------------- controls/V-238357.rb | 77 ----------------- controls/V-238358.rb | 59 ------------- controls/V-238359.rb | 85 ------------------- controls/V-238360.rb | 85 ------------------- controls/V-238361.rb | 53 ------------ controls/V-238362.rb | 62 -------------- controls/V-238363.rb | 64 -------------- controls/V-238364.rb | 74 ---------------- controls/V-238365.rb | 75 ----------------- controls/V-238366.rb | 75 ----------------- controls/V-238367.rb | 92 -------------------- controls/V-238368.rb | 60 ------------- controls/V-238369.rb | 68 --------------- controls/V-238370.rb | 54 ------------ controls/V-238371.rb | 56 ------------- controls/V-238372.rb | 56 ------------- controls/V-238373.rb | 55 ------------ controls/V-238374.rb | 50 ----------- controls/V-238375.rb | 103 ----------------------- controls/V-238376.rb | 81 ------------------ controls/V-238377.rb | 78 ----------------- controls/V-238378.rb | 80 ------------------ controls/V-238379.rb | 64 -------------- controls/V-238380.rb | 52 ------------ 352 files changed, 9011 insertions(+), 13839 deletions(-) create mode 100644 controls/SV-238196.rb create mode 100644 controls/SV-238197.rb create mode 100644 controls/SV-238198.rb create mode 100644 controls/SV-238199.rb create mode 100644 controls/SV-238200.rb create mode 100644 controls/SV-238201.rb create mode 100644 controls/SV-238202.rb create mode 100644 controls/SV-238203.rb create mode 100644 controls/SV-238204.rb create mode 100644 controls/SV-238205.rb create mode 100644 controls/SV-238206.rb create mode 100644 controls/SV-238207.rb create mode 100644 controls/SV-238208.rb create mode 100644 controls/SV-238209.rb create mode 100644 controls/SV-238210.rb create mode 100644 controls/SV-238211.rb create mode 100644 controls/SV-238212.rb create mode 100644 controls/SV-238213.rb create mode 100644 controls/SV-238214.rb create mode 100644 controls/SV-238215.rb create mode 100644 controls/SV-238216.rb create mode 100644 controls/SV-238217.rb create mode 100644 controls/SV-238218.rb create mode 100644 controls/SV-238219.rb create mode 100644 controls/SV-238220.rb create mode 100644 controls/SV-238221.rb create mode 100644 controls/SV-238222.rb create mode 100644 controls/SV-238223.rb create mode 100644 controls/SV-238224.rb create mode 100644 controls/SV-238225.rb create mode 100644 controls/SV-238226.rb create mode 100644 controls/SV-238227.rb create mode 100644 controls/SV-238228.rb create mode 100644 controls/SV-238229.rb create mode 100644 controls/SV-238230.rb create mode 100644 controls/SV-238231.rb create mode 100644 controls/SV-238232.rb create mode 100644 controls/SV-238233.rb create mode 100644 controls/SV-238234.rb create mode 100644 controls/SV-238235.rb create mode 100644 controls/SV-238236.rb create mode 100644 controls/SV-238237.rb create mode 100644 controls/SV-238238.rb create mode 100644 controls/SV-238239.rb create mode 100644 controls/SV-238240.rb create mode 100644 controls/SV-238241.rb create mode 100644 controls/SV-238242.rb create mode 100644 controls/SV-238243.rb create mode 100644 controls/SV-238244.rb create mode 100644 controls/SV-238245.rb create mode 100644 controls/SV-238246.rb create mode 100644 controls/SV-238247.rb create mode 100644 controls/SV-238248.rb create mode 100644 controls/SV-238249.rb create mode 100644 controls/SV-238250.rb create mode 100644 controls/SV-238251.rb create mode 100644 controls/SV-238252.rb create mode 100644 controls/SV-238253.rb create mode 100644 controls/SV-238254.rb create mode 100644 controls/SV-238255.rb create mode 100644 controls/SV-238256.rb create mode 100644 controls/SV-238257.rb create mode 100644 controls/SV-238258.rb create mode 100644 controls/SV-238264.rb create mode 100644 controls/SV-238268.rb create mode 100644 controls/SV-238271.rb create mode 100644 controls/SV-238277.rb create mode 100644 controls/SV-238278.rb create mode 100644 controls/SV-238279.rb create mode 100644 controls/SV-238280.rb create mode 100644 controls/SV-238281.rb create mode 100644 controls/SV-238282.rb create mode 100644 controls/SV-238283.rb create mode 100644 controls/SV-238284.rb create mode 100644 controls/SV-238285.rb create mode 100644 controls/SV-238286.rb create mode 100644 controls/SV-238287.rb create mode 100644 controls/SV-238288.rb create mode 100644 controls/SV-238289.rb create mode 100644 controls/SV-238290.rb create mode 100644 controls/SV-238291.rb create mode 100644 controls/SV-238292.rb create mode 100644 controls/SV-238293.rb create mode 100644 controls/SV-238294.rb create mode 100644 controls/SV-238295.rb create mode 100644 controls/SV-238297.rb create mode 100644 controls/SV-238298.rb create mode 100644 controls/SV-238299.rb create mode 100644 controls/SV-238300.rb create mode 100644 controls/SV-238301.rb create mode 100644 controls/SV-238302.rb create mode 100644 controls/SV-238303.rb create mode 100644 controls/SV-238304.rb create mode 100644 controls/SV-238305.rb create mode 100644 controls/SV-238306.rb create mode 100644 controls/SV-238307.rb create mode 100644 controls/SV-238308.rb create mode 100644 controls/SV-238309.rb create mode 100644 controls/SV-238310.rb create mode 100644 controls/SV-238315.rb create mode 100644 controls/SV-238316.rb create mode 100644 controls/SV-238317.rb create mode 100644 controls/SV-238318.rb create mode 100644 controls/SV-238319.rb create mode 100644 controls/SV-238320.rb create mode 100644 controls/SV-238321.rb create mode 100644 controls/SV-238323.rb create mode 100644 controls/SV-238324.rb create mode 100644 controls/SV-238325.rb create mode 100644 controls/SV-238326.rb create mode 100644 controls/SV-238327.rb create mode 100644 controls/SV-238328.rb create mode 100644 controls/SV-238329.rb create mode 100644 controls/SV-238330.rb create mode 100644 controls/SV-238331.rb create mode 100644 controls/SV-238332.rb create mode 100644 controls/SV-238333.rb create mode 100644 controls/SV-238334.rb create mode 100644 controls/SV-238335.rb create mode 100644 controls/SV-238336.rb create mode 100644 controls/SV-238337.rb create mode 100644 controls/SV-238338.rb create mode 100644 controls/SV-238339.rb create mode 100644 controls/SV-238340.rb create mode 100644 controls/SV-238341.rb create mode 100644 controls/SV-238342.rb create mode 100644 controls/SV-238343.rb create mode 100644 controls/SV-238344.rb create mode 100644 controls/SV-238345.rb create mode 100644 controls/SV-238346.rb create mode 100644 controls/SV-238347.rb create mode 100644 controls/SV-238348.rb create mode 100644 controls/SV-238349.rb create mode 100644 controls/SV-238350.rb create mode 100644 controls/SV-238351.rb create mode 100644 controls/SV-238352.rb create mode 100644 controls/SV-238353.rb create mode 100644 controls/SV-238354.rb create mode 100644 controls/SV-238355.rb create mode 100644 controls/SV-238356.rb create mode 100644 controls/SV-238357.rb create mode 100644 controls/SV-238358.rb create mode 100644 controls/SV-238359.rb create mode 100644 controls/SV-238360.rb create mode 100644 controls/SV-238361.rb create mode 100644 controls/SV-238362.rb create mode 100644 controls/SV-238363.rb create mode 100644 controls/SV-238364.rb create mode 100644 controls/SV-238365.rb create mode 100644 controls/SV-238366.rb create mode 100644 controls/SV-238367.rb create mode 100644 controls/SV-238368.rb create mode 100644 controls/SV-238369.rb create mode 100644 controls/SV-238370.rb create mode 100644 controls/SV-238371.rb create mode 100644 controls/SV-238372.rb create mode 100644 controls/SV-238373.rb create mode 100644 controls/SV-238374.rb create mode 100644 controls/SV-238376.rb create mode 100644 controls/SV-238377.rb create mode 100644 controls/SV-238378.rb create mode 100644 controls/SV-238379.rb create mode 100644 controls/SV-238380.rb create mode 100644 controls/SV-251503.rb create mode 100644 controls/SV-251504.rb create mode 100644 controls/SV-251505.rb create mode 100644 controls/SV-252704.rb delete mode 100644 controls/V-238196.rb delete mode 100644 controls/V-238197.rb delete mode 100644 controls/V-238198.rb delete mode 100644 controls/V-238199.rb delete mode 100644 controls/V-238200.rb delete mode 100644 controls/V-238201.rb delete mode 100644 controls/V-238202.rb delete mode 100644 controls/V-238203.rb delete mode 100644 controls/V-238204.rb delete mode 100644 controls/V-238205.rb delete mode 100644 controls/V-238206.rb delete mode 100644 controls/V-238207.rb delete mode 100644 controls/V-238208.rb delete mode 100644 controls/V-238209.rb delete mode 100644 controls/V-238210.rb delete mode 100644 controls/V-238211.rb delete mode 100644 controls/V-238212.rb delete mode 100644 controls/V-238213.rb delete mode 100644 controls/V-238214.rb delete mode 100644 controls/V-238215.rb delete mode 100644 controls/V-238216.rb delete mode 100644 controls/V-238217.rb delete mode 100644 controls/V-238218.rb delete mode 100644 controls/V-238219.rb delete mode 100644 controls/V-238220.rb delete mode 100644 controls/V-238221.rb delete mode 100644 controls/V-238222.rb delete mode 100644 controls/V-238223.rb delete mode 100644 controls/V-238224.rb delete mode 100644 controls/V-238225.rb delete mode 100644 controls/V-238226.rb delete mode 100644 controls/V-238227.rb delete mode 100644 controls/V-238228.rb delete mode 100644 controls/V-238229.rb delete mode 100644 controls/V-238230.rb delete mode 100644 controls/V-238231.rb delete mode 100644 controls/V-238232.rb delete mode 100644 controls/V-238233.rb delete mode 100644 controls/V-238234.rb delete mode 100644 controls/V-238235.rb delete mode 100644 controls/V-238236.rb delete mode 100644 controls/V-238237.rb delete mode 100644 controls/V-238238.rb delete mode 100644 controls/V-238239.rb delete mode 100644 controls/V-238240.rb delete mode 100644 controls/V-238241.rb delete mode 100644 controls/V-238242.rb delete mode 100644 controls/V-238243.rb delete mode 100644 controls/V-238244.rb delete mode 100644 controls/V-238245.rb delete mode 100644 controls/V-238246.rb delete mode 100644 controls/V-238247.rb delete mode 100644 controls/V-238248.rb delete mode 100644 controls/V-238249.rb delete mode 100644 controls/V-238250.rb delete mode 100644 controls/V-238251.rb delete mode 100644 controls/V-238252.rb delete mode 100644 controls/V-238253.rb delete mode 100644 controls/V-238254.rb delete mode 100644 controls/V-238255.rb delete mode 100644 controls/V-238256.rb delete mode 100644 controls/V-238257.rb delete mode 100644 controls/V-238258.rb delete mode 100644 controls/V-238259.rb delete mode 100644 controls/V-238260.rb delete mode 100644 controls/V-238261.rb delete mode 100644 controls/V-238262.rb delete mode 100644 controls/V-238263.rb delete mode 100644 controls/V-238264.rb delete mode 100644 controls/V-238265.rb delete mode 100644 controls/V-238266.rb delete mode 100644 controls/V-238267.rb delete mode 100644 controls/V-238268.rb delete mode 100644 controls/V-238269.rb delete mode 100644 controls/V-238270.rb delete mode 100644 controls/V-238271.rb delete mode 100644 controls/V-238272.rb delete mode 100644 controls/V-238273.rb delete mode 100644 controls/V-238274.rb delete mode 100644 controls/V-238275.rb delete mode 100644 controls/V-238276.rb delete mode 100644 controls/V-238277.rb delete mode 100644 controls/V-238278.rb delete mode 100644 controls/V-238279.rb delete mode 100644 controls/V-238280.rb delete mode 100644 controls/V-238281.rb delete mode 100644 controls/V-238282.rb delete mode 100644 controls/V-238283.rb delete mode 100644 controls/V-238284.rb delete mode 100644 controls/V-238285.rb delete mode 100644 controls/V-238286.rb delete mode 100644 controls/V-238287.rb delete mode 100644 controls/V-238288.rb delete mode 100644 controls/V-238289.rb delete mode 100644 controls/V-238290.rb delete mode 100644 controls/V-238291.rb delete mode 100644 controls/V-238292.rb delete mode 100644 controls/V-238293.rb delete mode 100644 controls/V-238294.rb delete mode 100644 controls/V-238295.rb delete mode 100644 controls/V-238296.rb delete mode 100644 controls/V-238297.rb delete mode 100644 controls/V-238298.rb delete mode 100644 controls/V-238299.rb delete mode 100644 controls/V-238300.rb delete mode 100644 controls/V-238301.rb delete mode 100644 controls/V-238302.rb delete mode 100644 controls/V-238303.rb delete mode 100644 controls/V-238304.rb delete mode 100644 controls/V-238305.rb delete mode 100644 controls/V-238306.rb delete mode 100644 controls/V-238307.rb delete mode 100644 controls/V-238308.rb delete mode 100644 controls/V-238309.rb delete mode 100644 controls/V-238310.rb delete mode 100644 controls/V-238311.rb delete mode 100644 controls/V-238312.rb delete mode 100644 controls/V-238313.rb delete mode 100644 controls/V-238314.rb delete mode 100644 controls/V-238315.rb delete mode 100644 controls/V-238316.rb delete mode 100644 controls/V-238317.rb delete mode 100644 controls/V-238318.rb delete mode 100644 controls/V-238319.rb delete mode 100644 controls/V-238320.rb delete mode 100644 controls/V-238321.rb delete mode 100644 controls/V-238322.rb delete mode 100644 controls/V-238323.rb delete mode 100644 controls/V-238324.rb delete mode 100644 controls/V-238325.rb delete mode 100644 controls/V-238326.rb delete mode 100644 controls/V-238327.rb delete mode 100644 controls/V-238328.rb delete mode 100644 controls/V-238329.rb delete mode 100644 controls/V-238330.rb delete mode 100644 controls/V-238331.rb delete mode 100644 controls/V-238332.rb delete mode 100644 controls/V-238333.rb delete mode 100644 controls/V-238334.rb delete mode 100644 controls/V-238335.rb delete mode 100644 controls/V-238336.rb delete mode 100644 controls/V-238337.rb delete mode 100644 controls/V-238338.rb delete mode 100644 controls/V-238339.rb delete mode 100644 controls/V-238340.rb delete mode 100644 controls/V-238341.rb delete mode 100644 controls/V-238342.rb delete mode 100644 controls/V-238343.rb delete mode 100644 controls/V-238344.rb delete mode 100644 controls/V-238345.rb delete mode 100644 controls/V-238346.rb delete mode 100644 controls/V-238347.rb delete mode 100644 controls/V-238348.rb delete mode 100644 controls/V-238349.rb delete mode 100644 controls/V-238350.rb delete mode 100644 controls/V-238351.rb delete mode 100644 controls/V-238352.rb delete mode 100644 controls/V-238353.rb delete mode 100644 controls/V-238354.rb delete mode 100644 controls/V-238355.rb delete mode 100644 controls/V-238356.rb delete mode 100644 controls/V-238357.rb delete mode 100644 controls/V-238358.rb delete mode 100644 controls/V-238359.rb delete mode 100644 controls/V-238360.rb delete mode 100644 controls/V-238361.rb delete mode 100644 controls/V-238362.rb delete mode 100644 controls/V-238363.rb delete mode 100644 controls/V-238364.rb delete mode 100644 controls/V-238365.rb delete mode 100644 controls/V-238366.rb delete mode 100644 controls/V-238367.rb delete mode 100644 controls/V-238368.rb delete mode 100644 controls/V-238369.rb delete mode 100644 controls/V-238370.rb delete mode 100644 controls/V-238371.rb delete mode 100644 controls/V-238372.rb delete mode 100644 controls/V-238373.rb delete mode 100644 controls/V-238374.rb delete mode 100644 controls/V-238375.rb delete mode 100644 controls/V-238376.rb delete mode 100644 controls/V-238377.rb delete mode 100644 controls/V-238378.rb delete mode 100644 controls/V-238379.rb delete mode 100644 controls/V-238380.rb diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb new file mode 100644 index 0000000..20fa35a --- /dev/null +++ b/controls/SV-238196.rb @@ -0,0 +1,55 @@ +# encoding: UTF-8 + +control "SV-238196" do + title "The Ubuntu operating system must provision temporary user accounts with an expiration time +of 72 hours or less. " + desc "If temporary user accounts remain active when no longer needed or for an excessive period, +these accounts may be used to gain unauthorized access. To mitigate this risk, automated +termination of all temporary accounts must be set upon account creation. + +Temporary +accounts are established as part of normal account activation procedures when there is a need +for short-term accounts without the demand for immediacy in account activation. + +If +temporary accounts are used, the operating system must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address +access requirements, many operating systems may be integrated with enterprise-level +authentication/access mechanisms that meet or exceed access control policy requirements. " + desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or +less. + +For every existing temporary account, run the following command to obtain its +account expiration information: + +$ sudo chage -l system_account_name | grep expires + + +Password expires : Aug 07, 2019 +Account expires : Aug 07, 2019 + +Verify that each of these +accounts has an expiration date set within 72 hours of account creation. + +If any temporary +account does not expire within 72 hours of that account's creation, this is a finding. " + desc "fix", "If a temporary account must be created, configure the system to terminate the account after a +72-hour time period with the following command to set an expiration date on it. + +Substitute +\"system_account_name\" with the account to be created. + +$ sudo chage -E $(date -d \"+3 days\" ++%F) system_account_name " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000002-GPOS-00002 " + tag gid: "V-238196 " + tag rid: "SV-238196r653763_rule " + tag stig_id: "UBTU-20-010000 " + tag fix_id: "F-41365r653762_fix " + tag cci: ["CCI-000016"] + tag nist: ["AC-2 (2)"] +end \ No newline at end of file diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb new file mode 100644 index 0000000..0887124 --- /dev/null +++ b/controls/SV-238197.rb @@ -0,0 +1,99 @@ +# encoding: UTF-8 + +control "SV-238197" do + title "The Ubuntu operating system must enable the graphical user logon banner to display the +Standard Mandatory DoD Notice and Consent Banner before granting local access to the system +via a graphical user logon. " + desc "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\" " + desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD +Notice and Consent Banner before granting access to the operating system via a graphical user +logon. + +Note: If the system does not have a graphical user interface installed, this +requirement is Not Applicable. + +Check that the operating banner message for the graphical +user logon is enabled with the following command: + +$ grep ^banner-message-enable +/etc/gdm3/greeter.dconf-defaults + +banner-message-enable=true + +If the line is +commented out or set to \"false\", this is a finding. " + desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. + +Look for the +\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and +uncomment it (remove the leading \"#\" characters): + +Note: The lines are all near the bottom of +the file but not adjacent to each other. + +[org/gnome/login-screen] + + +banner-message-enable=true + +Update the GDM with the new configuration: + +$ sudo dconf +update +$ sudo systemctl restart gdm3 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000023-GPOS-00006 " + tag gid: "V-238197 " + tag rid: "SV-238197r653766_rule " + tag stig_id: "UBTU-20-010002 " + tag fix_id: "F-41366r653765_fix " + tag cci: ["CCI-000048"] + tag nist: ["AC-8 a"] +end \ No newline at end of file diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb new file mode 100644 index 0000000..f877588 --- /dev/null +++ b/controls/SV-238198.rb @@ -0,0 +1,123 @@ +# encoding: UTF-8 + +control "SV-238198" do + title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent +Banner before granting local access to the system via a graphical user logon. " + desc "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\" " + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +Banner before granting access to the operating system via a graphical user logon. + +Note: If +the system does not have a graphical user interface installed, this requirement is Not +Applicable. + +Verify the operating system displays the exact approved Standard Mandatory +DoD Notice and Consent Banner text with the command: + +$ grep ^banner-message-text +/etc/gdm3/greeter.dconf-defaults + +banner-message-text=\"You are accessing a U.S. +Government \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use +only.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the +following conditions:\\s+-The USG routinely intercepts and monitors communications on +this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and +counterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize +data stored on this IS.\\s+-Communications using, or data stored on, this IS are not private, +are subject to routine monitoring, interception, and search, and may be disclosed or used for +any USG-authorized purpose.\\s+-This IS includes security measures \\(e.g., +authentication and access controls\\) to protect USG interests--not for your personal +benefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute +consent to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +If the +banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD +Notice and Consent Banner exactly, this is a finding. " + desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. + +Set the \"banner-message-text\" line +to contain the appropriate banner message text as shown below: + +banner-message-text='You +are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this +IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and +monitors communications on this IS for purposes including, but not limited to, penetration +testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), +law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the +USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored +on, this IS are not private, are subject to routine monitoring, interception, and search, and +may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security +measures (e.g., authentication and access controls) to protect USG interests--not for your +personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not +constitute consent to PM, LE or CI investigative searching or monitoring of the content of +privileged communications, or work product, related to personal representation or +services by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User Agreement for +details.' + +Update the GDM with the new configuration: + +$ sudo dconf update +$ sudo +systemctl restart gdm3 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000023-GPOS-00006 " + tag gid: "V-238198 " + tag rid: "SV-238198r653769_rule " + tag stig_id: "UBTU-20-010003 " + tag fix_id: "F-41367r653768_fix " + tag cci: ["CCI-000048"] + tag nist: ["AC-8 a"] +end \ No newline at end of file diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb new file mode 100644 index 0000000..6c4d992 --- /dev/null +++ b/controls/SV-238199.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238199" do + title "The Ubuntu operating system must retain a user's session lock until that user reestablishes +access using established identification and authentication procedures. " + desc "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. + +The session lock is implemented at the point where +session activity can be determined. + +Regardless of where the session lock is determined and +implemented, once invoked, a session lock of the Ubuntu operating system must remain in place +until the user reauthenticates. No other activity aside from reauthentication must unlock +the system. + + " + desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled. + + +Note: If the Ubuntu operating system does not have a graphical user interface installed, +this requirement is Not Applicable. + +Get the \"lock-enabled\" setting to verify the +graphical user interface session has the lock enabled with the following command: + +$ sudo +gsettings get org.gnome.desktop.screensaver lock-enabled + + true + +If \"lock-enabled\" is +not set to \"true\", this is a finding. " + desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user +interface session. + +Note: If the Ubuntu operating system does not have a graphical user +interface installed, this requirement is Not Applicable. + +Set the \"lock-enabled\" setting +to allow graphical user interface session locks with the following command: + +$ sudo +gsettings set org.gnome.desktop.screensaver lock-enabled true " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000028-GPOS-00009 " + tag satisfies: ["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"] + tag gid: "V-238199 " + tag rid: "SV-238199r653772_rule " + tag stig_id: "UBTU-20-010004 " + tag fix_id: "F-41368r653771_fix " + tag cci: ["CCI-000056","CCI-000057"] + tag nist: ["AC-11 b","AC-11 a"] +end \ No newline at end of file diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb new file mode 100644 index 0000000..c0ab3cb --- /dev/null +++ b/controls/SV-238200.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238200" do + title "The Ubuntu operating system must allow users to directly initiate a session lock for all +connection types. " + desc "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. + +The session lock is implemented at the point where +session activity can be determined. Rather than be forced to wait for a period of time to expire +before the user session can be locked, the Ubuntu operating systems need to provide users with +the ability to manually invoke a session lock so users may secure their session if they need to +temporarily vacate the immediate physical vicinity. + + " + desc "check", "Verify the Ubuntu operating system has the \"vlock\" package installed by running the +following command: + +$ dpkg -l | grep vlock + +If \"vlock\" is not installed, this is a finding. " + desc "fix", "Install the \"vlock\" package (if it is not already installed) by running the following +command: + +$ sudo apt-get install vlock " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000030-GPOS-00011 " + tag satisfies: ["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"] + tag gid: "V-238200 " + tag rid: "SV-238200r653775_rule " + tag stig_id: "UBTU-20-010005 " + tag fix_id: "F-41369r653774_fix " + tag cci: ["CCI-000058","CCI-000060"] + tag nist: ["AC-11 a","AC-11 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb new file mode 100644 index 0000000..133ecc4 --- /dev/null +++ b/controls/SV-238201.rb @@ -0,0 +1,34 @@ +# encoding: UTF-8 + +control "SV-238201" do + title "The Ubuntu operating system must map the authenticated identity to the user or group account +for PKI-based authentication. " + desc "Without mapping the certificate used to authenticate to the user account, the ability to +determine the identity of the individual user or group will not be available for forensic +analysis. " + desc "check", "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file: + + +$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf +use_mappers = pwent + +If +\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding. " + desc "fix", "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a +comma-separated list of mappers, add it to the list, separated by comma, and before the null +mapper. + +If the system is missing an \"/etc/pam_pkcs11/\" directory and an +\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify +accordingly at +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000068-GPOS-00036 " + tag gid: "V-238201 " + tag rid: "SV-238201r832933_rule " + tag stig_id: "UBTU-20-010006 " + tag fix_id: "F-41370r653777_fix " + tag cci: ["CCI-000187"] + tag nist: ["IA-5 (2) (a) (2)"] +end \ No newline at end of file diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb new file mode 100644 index 0000000..70a6a4b --- /dev/null +++ b/controls/SV-238202.rb @@ -0,0 +1,35 @@ +# encoding: UTF-8 + +control "SV-238202" do + title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. +Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. " + desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat +the password reuse or history enforcement requirement. If users are allowed to immediately +and continually change their password, then the password could be repeatedly changed in a +short period of time to defeat the organization's policy regarding password reuse. " + desc "check", "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for +new user accounts by running the following command: + +$ grep -i ^pass_min_days +/etc/login.defs + +PASS_MIN_DAYS 1 + +If the \"PASS_MIN_DAYS\" parameter value is less than +\"1\" or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. + + +Add or modify the following line in the \"/etc/login.defs\" file: + +PASS_MIN_DAYS 1 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000075-GPOS-00043 " + tag gid: "V-238202 " + tag rid: "SV-238202r653781_rule " + tag stig_id: "UBTU-20-010007 " + tag fix_id: "F-41371r653780_fix " + tag cci: ["CCI-000198"] + tag nist: ["IA-5 (1) (d)"] +end \ No newline at end of file diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb new file mode 100644 index 0000000..38003d1 --- /dev/null +++ b/controls/SV-238203.rb @@ -0,0 +1,34 @@ +# encoding: UTF-8 + +control "SV-238203" do + title "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. +Passwords for new users must have a 60-day maximum password lifetime restriction. " + desc "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to +be changed periodically. If the operating system does not limit the lifetime of passwords and +force users to change their passwords, there is the risk that the operating system passwords +could be compromised. " + desc "check", "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user +accounts by running the following command: + +$ grep -i ^pass_max_days /etc/login.defs + +PASS_MAX_DAYS 60 + +If the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented +out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. + +Add +or modify the following line in the \"/etc/login.defs\" file: + +PASS_MAX_DAYS 60 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000076-GPOS-00044 " + tag gid: "V-238203 " + tag rid: "SV-238203r653784_rule " + tag stig_id: "UBTU-20-010008 " + tag fix_id: "F-41372r653783_fix " + tag cci: ["CCI-000199"] + tag nist: ["IA-5 (1) (d)"] +end \ No newline at end of file diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb new file mode 100644 index 0000000..42bfc1b --- /dev/null +++ b/controls/SV-238204.rb @@ -0,0 +1,71 @@ +# encoding: UTF-8 + +control "SV-238204" do + title "Ubuntu operating systems when booted must require authentication upon booting into +single-user and maintenance modes. " + desc "To mitigate the risk of unauthorized access to sensitive information by entities that have +been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web +portals) must be properly configured to incorporate access control methods that do not rely +solely on the possession of a certificate for access. + +Successful authentication must not +automatically give an entity access to an asset or security boundary. Authorization +procedures and controls must be implemented to ensure each authenticated entity also has a +validated and current authorization. Authorization is the process of determining whether +an entity, once authenticated, is permitted to access a specific asset. Information systems +use access control policies and enforcement mechanisms to implement this requirement. + + +Access control policies include identity-based policies, role-based policies, and +attribute-based policies. Access enforcement mechanisms include access control lists, +access control matrices, and cryptography. These policies and mechanisms must be employed +by the application to control access between users (or processes acting on behalf of users) +and objects (e.g., devices, files, records, processes, programs, and domains) in the +information system. " + desc "check", "Run the following command to verify the encrypted password is set: + +$ sudo grep -i password +/boot/grub/grub.cfg + +password_pbkdf2 root +grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG + +If the root password +entry does not begin with \"password_pbkdf2\", this is a finding. " + desc "fix", "Configure the system to require a password for authentication upon booting into single-user +and maintenance modes. + +Generate an encrypted (grub) password for root with the following +command: + +$ grub-mkpasswd-pbkdf2 +Enter Password: +Reenter Password: +PBKDF2 hash of +your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG + +Using +the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following +command to add a boot password: + +$ sudo sed -i '$i set +superusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom + + +where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. + +Generate an +updated \"grub.conf\" file with the new password by using the following command: + +$ sudo +update-grub " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000080-GPOS-00048 " + tag gid: "V-238204 " + tag rid: "SV-238204r832936_rule " + tag stig_id: "UBTU-20-010009 " + tag fix_id: "F-41373r832935_fix " + tag cci: ["CCI-000213"] + tag nist: ["AC-3"] +end \ No newline at end of file diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb new file mode 100644 index 0000000..0aa6582 --- /dev/null +++ b/controls/SV-238205.rb @@ -0,0 +1,43 @@ +# encoding: UTF-8 + +control "SV-238205" do + title "The Ubuntu operating system must uniquely identify interactive users. " + desc "To assure accountability and prevent unauthenticated access, organizational users must be +identified and authenticated to prevent potential misuse and compromise of the system. + + +Organizational users include organizational employees or individuals the organization +deems to have equivalent status of employees (e.g., contractors). Organizational users +(and processes acting on behalf of users) must be uniquely identified and authenticated to +all accesses, except for the following: + +1) Accesses explicitly identified and documented +by the organization. Organizations document specific user actions that can be performed on +the information system without identification or authentication; and + +2) Accesses that +occur through authorized use of group authenticators without individual authentication. +Organizations may require unique identification of individuals in group accounts (e.g., +shared privilege accounts) or for detailed accountability of individual activity. + + " + desc "check", "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive +users with the following command: + +$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd + +If +output is produced and the accounts listed are interactive user accounts, this is a finding. " + desc "fix", "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate +UID with a unique UID. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000104-GPOS-00051 " + tag satisfies: ["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"] + tag gid: "V-238205 " + tag rid: "SV-238205r653790_rule " + tag stig_id: "UBTU-20-010010 " + tag fix_id: "F-41374r653789_fix " + tag cci: ["CCI-000764","CCI-000804"] + tag nist: ["IA-2","IA-8"] +end \ No newline at end of file diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb new file mode 100644 index 0000000..5eda050 --- /dev/null +++ b/controls/SV-238206.rb @@ -0,0 +1,51 @@ +# encoding: UTF-8 + +control "SV-238206" do + title "The Ubuntu operating system must ensure only users who need access to security functions are +part of sudo group. " + desc "An isolation boundary provides access control and protects the integrity of the hardware, +software, and firmware that perform security functions. + +Security functions are the +hardware, software, and/or firmware of the information system responsible for enforcing +the system security policy and supporting the isolation of code and data on which the +protection is based. Operating systems implement code separation (i.e., separation of +security functions from nonsecurity functions) in a number of ways, including through the +provision of security kernels via processor rings or processor modes. For non-kernel code, +security function isolation is often achieved through file system protections that serve to +protect the code on disk and address space protections that protect executing code. + + +Developers and implementers can increase the assurance in security functions by employing +well-defined security policy models; structured, disciplined, and rigorous hardware and +software development techniques; and sound system/security engineering principles. +Implementation may include isolation of memory space and libraries. + +The Ubuntu operating +system restricts access to security functions through the use of access control mechanisms +and by implementing least privilege capabilities. " + desc "check", "Verify the sudo group has only members who should have access to security functions. + +$ grep +sudo /etc/group + +sudo:x:27:foo + +If the sudo group contains users not needing access to +security functions, this is a finding. " + desc "fix", "Configure the sudo group with only members requiring access to security functions. + +To +remove a user from the sudo group, run: + +$ sudo gpasswd -d <username> sudo " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000134-GPOS-00068 " + tag gid: "V-238206 " + tag rid: "SV-238206r653793_rule " + tag stig_id: "UBTU-20-010012 " + tag fix_id: "F-41375r653792_fix " + tag cci: ["CCI-001084"] + tag nist: ["SC-3"] +end \ No newline at end of file diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb new file mode 100644 index 0000000..9b80e6a --- /dev/null +++ b/controls/SV-238207.rb @@ -0,0 +1,68 @@ +# encoding: UTF-8 + +control "SV-238207" do + title "The Ubuntu operating system must automatically terminate a user session after inactivity +timeouts have expired. " + desc "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific operating +system functionality where the system owner, data owner, or organization requires +additional assurance. " + desc "check", "Verify the operating system automatically terminates a user session after inactivity +timeouts have expired. + +Check that \"TMOUT\" environment variable is set in the +\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by +performing the following command: + +$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc +/etc/profile.d/* + +TMOUT=600 + +If \"TMOUT\" is not set, or if the value is \"0\" or is commented +out, this is a finding. " + desc "fix", "Configure the operating system to automatically terminate a user session after inactivity +timeouts have expired or at shutdown. + +Create the file +\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist. + +Modify or append the +following line in the \"/etc/profile.d/99-terminal_tmout.sh \" file: + +TMOUT=600 + +This +will set a timeout value of 10 minutes for all future sessions. + +To set the timeout for the +current sessions, execute the following command over the terminal session: + +$ export +TMOUT=600 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000279-GPOS-00109 " + tag gid: "V-238207 " + tag rid: "SV-238207r853404_rule " + tag stig_id: "UBTU-20-010013 " + tag fix_id: "F-41376r653795_fix " + tag cci: ["CCI-002361"] + tag nist: ["AC-12"] +end \ No newline at end of file diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb new file mode 100644 index 0000000..a282df4 --- /dev/null +++ b/controls/SV-238208.rb @@ -0,0 +1,33 @@ +# encoding: UTF-8 + +control "SV-238208" do + title "The Ubuntu operating system must require users to reauthenticate for privilege escalation +or when changing roles. " + desc "Without reauthentication, users may access resources or perform tasks for which they do not +have authorization. + +When operating systems provide the capability to escalate a +functional capability, it is critical the user reauthenticate. + + " + desc "check", "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by +running the following command: + +$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers +/etc/sudoers.d/* + +If any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the +command, this is a finding. " + desc "fix", "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or +files in the \"/etc/sudoers.d\" directory. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000373-GPOS-00156 " + tag satisfies: ["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"] + tag gid: "V-238208 " + tag rid: "SV-238208r853405_rule " + tag stig_id: "UBTU-20-010014 " + tag fix_id: "F-41377r653798_fix " + tag cci: ["CCI-002038"] + tag nist: ["IA-11"] +end \ No newline at end of file diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb new file mode 100644 index 0000000..cdbca04 --- /dev/null +++ b/controls/SV-238209.rb @@ -0,0 +1,40 @@ +# encoding: UTF-8 + +control "SV-238209" do + title "The Ubuntu operating system default filesystem permissions must be defined in such a way that +all authenticated users can read and modify only their own files. " + desc "Setting the most restrictive default permissions ensures that when new accounts are created +they do not have unnecessary access. " + desc "check", "Verify the Ubuntu operating system defines default permissions for all authenticated users +in such a way that the user can read and modify only their own files. + +Verify the Ubuntu +operating system defines default permissions for all authenticated users with the +following command: + +$ grep -i \"umask\" /etc/login.defs + +UMASK 077 + +If the \"UMASK\" +variable is set to \"000\", this is a finding with the severity raised to a CAT I. + +If the value of +\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding. " + desc "fix", "Configure the system to define the default permissions for all authenticated users in such a +way that the user can read and modify only their own files. + +Edit the \"UMASK\" parameter in the +\"/etc/login.defs\" file to match the example below: + +UMASK 077 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00228 " + tag gid: "V-238209 " + tag rid: "SV-238209r653802_rule " + tag stig_id: "UBTU-20-010016 " + tag fix_id: "F-41378r653801_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb new file mode 100644 index 0000000..61f07ff --- /dev/null +++ b/controls/SV-238210.rb @@ -0,0 +1,73 @@ +# encoding: UTF-8 + +control "SV-238210" do + title "The Ubuntu operating system must implement smart card logins for multifactor +authentication for local and network access to privileged and non-privileged accounts. " + desc "Without the use of multifactor authentication, the ease of access to privileged functions is +greatly increased. + +Multifactor authentication requires using two or more factors to +achieve authentication. + +Factors include: +1) something a user knows (e.g., +password/PIN); +2) something a user has (e.g., cryptographic identification device, +token); and +3) something a user is (e.g., biometric). + +A privileged account is defined as an +information system account with authorizations of a privileged user. + +Network access is +defined as access to an information system by a user (or a process acting on behalf of a user) +communicating through a network (e.g., local area network, wide area network, or the +internet). + +The DoD CAC with DoD-approved PKI is an example of multifactor +authentication. + + " + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor +authentication installed with the following commands: + +$ dpkg -l | grep libpam-pkcs11 + +ii +libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards + +If the +\"libpam-pkcs11\" package is not installed, this is a finding. + +Verify the sshd daemon allows +public key authentication with the following command: + +$ grep -r ^Pubkeyauthentication +/etc/ssh/sshd_config* + +PubkeyAuthentication yes + +If this option is set to \"no\" or is +missing, this is a finding. +If conflicting results are returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to use multifactor authentication for network access +to accounts. + +Add or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the +following line: + +auth [success=2 default=ignore] pam_pkcs11.so + +Set the sshd option +\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000105-GPOS-00052 " + tag satisfies: ["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"] + tag gid: "V-238210 " + tag rid: "SV-238210r858517_rule " + tag stig_id: "UBTU-20-010033 " + tag fix_id: "F-41379r653804_fix " + tag cci: ["CCI-000765","CCI-000766","CCI-000767","CCI-000768"] + tag nist: ["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"] +end \ No newline at end of file diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb new file mode 100644 index 0000000..2ccff81 --- /dev/null +++ b/controls/SV-238211.rb @@ -0,0 +1,45 @@ +# encoding: UTF-8 + +control "SV-238211" do + title "The Ubuntu operating system must use strong authenticators in establishing nonlocal +maintenance and diagnostic sessions. " + desc "Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. +Typically, strong authentication requires authenticators that are resistant to replay +attacks and employ multifactor authentication. Strong authenticators include, for +example, PKI where certificates are stored on a token protected by a password, passphrase, or +biometric. " + desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the +establishment of nonlocal maintenance and diagnostic maintenance. + +Verify that \"UsePAM\" +is set to \"yes\" in \"/etc/ssh/sshd_config: + +$ grep -r ^UsePAM +/etc/ssh/sshd_config* + +UsePAM yes + +If \"UsePAM\" is not set to \"yes\", this is a finding. +If +conflicting results are returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to use strong authentication when establishing +nonlocal maintenance and diagnostic sessions. + +Add or modify the following line to +/etc/ssh/sshd_config: + +UsePAM yes " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000125-GPOS-00065 " + tag gid: "V-238211 " + tag rid: "SV-238211r858519_rule " + tag stig_id: "UBTU-20-010035 " + tag fix_id: "F-41380r653807_fix " + tag cci: ["CCI-000877"] + tag nist: ["MA-4 c"] +end \ No newline at end of file diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb new file mode 100644 index 0000000..973a87c --- /dev/null +++ b/controls/SV-238212.rb @@ -0,0 +1,63 @@ +# encoding: UTF-8 + +control "SV-238212" do + title "The Ubuntu operating system must immediately terminate all network connections associated +with SSH traffic after a period of inactivity. " + desc "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific Ubuntu +operating system functionality where the system owner, data owner, or organization +requires additional assurance. " + desc "check", "Verify that all network connections associated with SSH traffic automatically terminate +after a period of inactivity. + +Verify the \"ClientAliveCountMax\" variable is set in the +\"/etc/ssh/sshd_config\" file by performing the following command: + +$ sudo grep -ir +clientalivecountmax /etc/ssh/sshd_config* + +ClientAliveCountMax 1 + +If +\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding. +If +conflicting results are returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions +after a period of inactivity. + +Modify or append the following line in the +\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1: + + +ClientAliveCountMax 1 + +Restart the SSH daemon for the changes to take effect: + +$ sudo +systemctl restart sshd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000126-GPOS-00066 " + tag gid: "V-238212 " + tag rid: "SV-238212r858521_rule " + tag stig_id: "UBTU-20-010036 " + tag fix_id: "F-41381r653810_fix " + tag cci: ["CCI-000879"] + tag nist: ["MA-4 e"] +end \ No newline at end of file diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb new file mode 100644 index 0000000..59d5a3b --- /dev/null +++ b/controls/SV-238213.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238213" do + title "The Ubuntu operating system must immediately terminate all network connections associated +with SSH traffic at the end of the session or after 10 minutes of inactivity. " + desc "Terminating an idle session within a short time period reduces the window of opportunity for +unauthorized personnel to take control of a management session enabled on the console or +console port that has been left unattended. In addition, quickly terminating an idle session +will also free up resources committed by the managed network element. + +Terminating network +connections associated with communications sessions includes, for example, +de-allocating associated TCP/IP address/port pairs at the operating system level, and +de-allocating networking assignments at the application level if multiple application +sessions are using a single operating system-level network connection. This does not mean +that the operating system terminates all sessions or network access; it only ends the +inactive session and releases the resources associated with that session. " + desc "check", "Verify that all network connections associated with SSH traffic are automatically +terminated at the end of the session or after 10 minutes of inactivity. + +Verify the +\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following +command: + +$ sudo grep -ir clientalive /etc/ssh/sshd_config* + +ClientAliveInterval +600 + +If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in +\"/etc/ssh/sshd_config\", or is commented out, this is a finding. +If conflicting results are +returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to automatically terminate all network connections +associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. + + +Modify or append the following line in the \"/etc/ssh/sshd_config\" file replacing +\"[Interval]\" with a value of \"600\" or less: + +ClientAliveInterval 600 + +Restart the SSH +daemon for the changes to take effect: + +$ sudo systemctl restart sshd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000163-GPOS-00072 " + tag gid: "V-238213 " + tag rid: "SV-238213r858523_rule " + tag stig_id: "UBTU-20-010037 " + tag fix_id: "F-41382r653813_fix " + tag cci: ["CCI-001133"] + tag nist: ["SC-10"] +end \ No newline at end of file diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb new file mode 100644 index 0000000..247f488 --- /dev/null +++ b/controls/SV-238214.rb @@ -0,0 +1,161 @@ +# encoding: UTF-8 + +control "SV-238214" do + title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent +Banner before granting any local or remote connection to the system. " + desc "Display of a standardized and approved use notification before granting access to the +publicly accessible operating system ensures privacy and security notification verbiage +used is consistent with applicable federal laws, Executive Orders, directives, policies, +regulations, standards, and guidance. + +System use notifications are required only for +access via logon interfaces with human users and are not required when such human interfaces +do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the +following verbiage for operating systems that can accommodate banners of 1300 characters: + + +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user +agreem't.\" + + " + desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +Banner before granting access to the Ubuntu operating system via an SSH logon with the +following command: + +$ grep -ir banner /etc/ssh/sshd_config* + + +/etc/ssh/sshd_config:Banner /etc/issue.net + +The command will return the banner option +along with the name of the file that contains the SSH banner. If the line is commented out, this +is a finding. + +If conflicting results are returned, this is a finding. + +Verify the +specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: + + +$ cat /etc/issue.net + +\"You are accessing a U.S. Government (USG) Information System (IS) +that is provided for USG-authorized use only. + +By using this IS (which includes any device +attached to this IS), you consent to the following conditions: + +-The USG routinely +intercepts and monitors communications on this IS for purposes including, but not limited +to, penetration testing, COMSEC monitoring, network operations and defense, personnel +misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, +or data stored on, this IS are not private, are subject to routine monitoring, interception, +and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes +security measures (e.g., authentication and access controls) to protect USG +interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using +this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of +the content of privileged communications, or work product, related to personal +representation or services by attorneys, psychotherapists, or clergy, and their +assistants. Such communications and work product are private and confidential. See User +Agreement for details.\" + +If the banner text does not match the Standard Mandatory DoD Notice +and Consent Banner exactly, this is a finding. " + desc "fix", "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: + + +$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config +$ sudo sed -i '$aBanner /etc/issue.net' +/etc/ssh/sshd_config + +Either create the file containing the banner or replace the text in +the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: + + +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Restart the +SSH daemon for the changes to take effect and then signal the SSH server to reload the +configuration file: + +$ sudo systemctl -s SIGHUP kill sshd " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000228-GPOS-00088 " + tag satisfies: ["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"] + tag gid: "V-238214 " + tag rid: "SV-238214r858525_rule " + tag stig_id: "UBTU-20-010038 " + tag fix_id: "F-41383r653816_fix " + tag cci: ["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"] + tag nist: ["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"] +end \ No newline at end of file diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb new file mode 100644 index 0000000..a4ab40c --- /dev/null +++ b/controls/SV-238215.rb @@ -0,0 +1,72 @@ +# encoding: UTF-8 + +control "SV-238215" do + title "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of +transmitted information. " + desc "Without protection of the transmitted information, confidentiality and integrity may be +compromised because unprotected communications can be intercepted and either read or +altered. + +This requirement applies to both internal and external networks and all types of +information system components from which information can be transmitted (e.g., servers, +mobile devices, notebook computers, printers, copiers, scanners, and facsimile +machines). Communication paths outside the physical protection of a controlled boundary +are exposed to the possibility of interception and modification. + +Protecting the +confidentiality and integrity of organizational information can be accomplished by +physical means (e.g., employing physical distribution systems) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are employed, then +logical means (cryptography) do not have to be employed, and vice versa. + + " + desc "check", "Verify the SSH package is installed with the following command: + +$ sudo dpkg -l | grep openssh + +ii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access +to remote machines +ii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server, +for secure access from remote machines +ii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64 +secure shell (SSH) sftp server module, for SFTP access from remote machines + +If the +\"openssh\" server package is not installed, this is a finding. + +Verify the \"sshd.service\" is +loaded and active with the following command: + +$ sudo systemctl status sshd.service | egrep +-i \"(active|loaded)\" + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; +vendor preset: enabled) + Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 +weeks 3 days ago + +If \"sshd.service\" is not active or loaded, this is a finding. " + desc "fix", "Install the \"ssh\" meta-package on the system with the following command: + +$ sudo apt install +ssh + +Enable the \"ssh\" service to start automatically on reboot with the following command: + + +$ sudo systemctl enable sshd.service + +ensure the \"ssh\" service is running + +$ sudo +systemctl start sshd.service " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000423-GPOS-00187 " + tag satisfies: ["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"] + tag gid: "V-238215 " + tag rid: "SV-238215r853406_rule " + tag stig_id: "UBTU-20-010042 " + tag fix_id: "F-41384r653819_fix " + tag cci: ["CCI-002418","CCI-002420","CCI-002422"] + tag nist: ["SC-8","SC-8 (2)"] +end \ No newline at end of file diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb new file mode 100644 index 0000000..8f2bde8 --- /dev/null +++ b/controls/SV-238216.rb @@ -0,0 +1,66 @@ +# encoding: UTF-8 + +control "SV-238216" do + title "The Ubuntu operating system must configure the SSH daemon to use Message Authentication +Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the +unauthorized disclosure of information and/or detect changes to information during +transmission. " + desc "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. + +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication +codes. + + " + desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers +with the following command: + +$ grep -ir macs /etc/ssh/sshd_config* + +MACs +hmac-sha2-512,hmac-sha2-256 + +If any ciphers other than \"hmac-sha2-512\" or +\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is +commented out, this is a finding. +If conflicting results are returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS +140-2 approved ciphers. + +Add the following line (or modify the line to have the required +value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a +different location if using a version of SSH that is provided by a third-party vendor): + +MACs +hmac-sha2-512,hmac-sha2-256 + +Restart the SSH daemon for the changes to take effect: + +$ +sudo systemctl reload sshd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000424-GPOS-00188 " + tag satisfies: ["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"] + tag gid: "V-238216 " + tag rid: "SV-238216r860820_rule " + tag stig_id: "UBTU-20-010043 " + tag fix_id: "F-41385r653822_fix " + tag cci: ["CCI-001453","CCI-002421","CCI-002890"] + tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb new file mode 100644 index 0000000..e9ecb28 --- /dev/null +++ b/controls/SV-238217.rb @@ -0,0 +1,72 @@ +# encoding: UTF-8 + +control "SV-238217" do + title "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers +to prevent the unauthorized disclosure of information and/or detect changes to information +during transmission. " + desc "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. + +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication +codes. + +By specifying a cipher list with the order of ciphers being in a \"strongest to +weakest\" orientation, the system will automatically attempt to use the strongest cipher for +securing SSH connections. + + " + desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running +the following command: + +$ grep -r 'Ciphers' /etc/ssh/sshd_config* + +Ciphers +aes256-ctr,aes192-ctr,aes128-ctr + +If any ciphers other than \"aes256-ctr\", +\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the +\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding. +If +conflicting results are returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only implement +FIPS-approved algorithms. + +Add the following line (or modify the line to have the required +value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a +different location if using a version of SSH that is provided by a third-party vendor): + + +Ciphers aes256-ctr,aes192-ctr,aes128-ctr + +Restart the SSH daemon for the changes to +take effect: + +$ sudo systemctl restart sshd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000424-GPOS-00188 " + tag satisfies: ["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"] + tag gid: "V-238217 " + tag rid: "SV-238217r860821_rule " + tag stig_id: "UBTU-20-010044 " + tag fix_id: "F-41386r653825_fix " + tag cci: ["CCI-000068","CCI-002421","CCI-003123"] + tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb new file mode 100644 index 0000000..f6474e8 --- /dev/null +++ b/controls/SV-238218.rb @@ -0,0 +1,44 @@ +# encoding: UTF-8 + +control "SV-238218" do + title "The Ubuntu operating system must not allow unattended or automatic login via SSH. " + desc "Failure to restrict system access to authenticated users negatively impacts Ubuntu +operating system security. " + desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: + +$ +egrep -r '(Permit(.*?)(Passwords|Environment))' +/etc/ssh/sshd_config + +PermitEmptyPasswords no +PermitUserEnvironment no + +If +\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are +missing completely, or are commented out, this is a finding. +If conflicting results are +returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or +automatic login to the system. + +Add or edit the following lines in the +\"/etc/ssh/sshd_config\" file: + +PermitEmptyPasswords no +PermitUserEnvironment no + + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl restart +sshd.service " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00229 " + tag gid: "V-238218 " + tag rid: "SV-238218r858531_rule " + tag stig_id: "UBTU-20-010047 " + tag fix_id: "F-41387r653828_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb new file mode 100644 index 0000000..dd720dc --- /dev/null +++ b/controls/SV-238219.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238219" do + title "The Ubuntu operating system must be configured so that remote X connections are disabled, +unless to fulfill documented and validated mission requirements. " + desc "The security risk of using X11 forwarding is that the client's X11 display server may be +exposed to attack when the SSH client requests forwarding. A System Administrator may have a +stance in which they want to protect clients that may expose themselves to attack by +unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. + +X11 +forwarding should be enabled with caution. Users with the ability to bypass file permissions +on the remote host (for the user's X11 authorization database) can access the local X11 +display through the forwarded connection. An attacker may then be able to perform activities +such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 +services are not required for the system's intended function, they should be disabled or +restricted as appropriate to the system’s needs. " + desc "check", "Verify that X11Forwarding is disabled with the following command: + +$ grep -ir +x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" + +X11Forwarding no + +If the +\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System +Security Officer (ISSO) as an operational requirement or is missing, this is a finding. +If +conflicting results are returned, this is a finding. " + desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" +keyword and set its value to \"no\" (this file may be named differently or be in a different +location if using a version of SSH that is provided by a third-party vendor): + +X11Forwarding +no + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl restart +sshd.service " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238219 " + tag rid: "SV-238219r858533_rule " + tag stig_id: "UBTU-20-010048 " + tag fix_id: "F-41388r653831_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb new file mode 100644 index 0000000..62a85c9 --- /dev/null +++ b/controls/SV-238220.rb @@ -0,0 +1,47 @@ +# encoding: UTF-8 + +control "SV-238220" do + title "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy +display. " + desc "When X11 forwarding is enabled, there may be additional exposure to the server and client +displays if the sshd proxy display is configured to listen on the wildcard address. By +default, sshd binds the forwarding server to the loopback address and sets the hostname part +of the DISPLAY environment variable to localhost. This prevents remote hosts from +connecting to the proxy display. " + desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. + +Check the +SSH X11UseLocalhost setting with the following command: + +$ sudo grep -ir x11uselocalhost +/etc/ssh/sshd_config* +X11UseLocalhost yes + +If the \"X11UseLocalhost\" keyword is set to +\"no\", is missing, or is commented out, this is a finding. +If conflicting results are +returned, this is a finding. " + desc "fix", "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. + +Edit +the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" +keyword and set its value to \"yes\" (this file may be named differently or be in a different +location if using a version of SSH that is provided by a third-party vendor): + + +X11UseLocalhost yes + +Restart the SSH daemon for the changes to take effect: + +$ sudo +systemctl restart sshd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238220 " + tag rid: "SV-238220r858535_rule " + tag stig_id: "UBTU-20-010049 " + tag fix_id: "F-41389r653834_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb new file mode 100644 index 0000000..45c0f4c --- /dev/null +++ b/controls/SV-238221.rb @@ -0,0 +1,39 @@ +# encoding: UTF-8 + +control "SV-238221" do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one +upper-case character be used. " + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised. " + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one upper-case character be used. + +Determine if the field \"ucredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"ucredit\" +/etc/security/pwquality.conf +ucredit=-1 + +If the \"ucredit\" parameter is greater than +\"-1\" or is commented out, this is a finding. " + desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter: + + +ucredit=-1 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000069-GPOS-00037 " + tag gid: "V-238221 " + tag rid: "SV-238221r653838_rule " + tag stig_id: "UBTU-20-010050 " + tag fix_id: "F-41390r653837_fix " + tag cci: ["CCI-000192"] + tag nist: ["IA-5 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb new file mode 100644 index 0000000..dfbc482 --- /dev/null +++ b/controls/SV-238222.rb @@ -0,0 +1,39 @@ +# encoding: UTF-8 + +control "SV-238222" do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one +lower-case character be used. " + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised. " + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one lower-case character be used. + +Determine if the field \"lcredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"lcredit\" +/etc/security/pwquality.conf +lcredit=-1 + +If the \"lcredit\" parameter is greater than +\"-1\" or is commented out, this is a finding. " + desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter: + + +lcredit=-1 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000070-GPOS-00038 " + tag gid: "V-238222 " + tag rid: "SV-238222r653841_rule " + tag stig_id: "UBTU-20-010051 " + tag fix_id: "F-41391r653840_fix " + tag cci: ["CCI-000193"] + tag nist: ["IA-5 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb new file mode 100644 index 0000000..79fe316 --- /dev/null +++ b/controls/SV-238223.rb @@ -0,0 +1,42 @@ +# encoding: UTF-8 + +control "SV-238223" do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one +numeric character be used. " + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the +password is compromised. " + desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one numeric character be used. + +Determine if the field \"dcredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"dcredit\" +/etc/security/pwquality.conf +dcredit=-1 + +If the \"dcredit\" parameter is greater than +\"-1\" or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at +least one numeric character be used. + +Add or update the \"/etc/security/pwquality.conf\" +file to contain the \"dcredit\" parameter: + +dcredit=-1 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000071-GPOS-00039 " + tag gid: "V-238223 " + tag rid: "SV-238223r653844_rule " + tag stig_id: "UBTU-20-010052 " + tag fix_id: "F-41392r653843_fix " + tag cci: ["CCI-000194"] + tag nist: ["IA-5 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb new file mode 100644 index 0000000..5aafee3 --- /dev/null +++ b/controls/SV-238224.rb @@ -0,0 +1,46 @@ +# encoding: UTF-8 + +control "SV-238224" do + title "The Ubuntu operating system must require the change of at least 8 characters when passwords +are changed. " + desc "If the operating system allows the user to consecutively reuse extensive portions of +passwords, this increases the chances of password compromise by increasing the window of +opportunity for attempts at guessing and brute-force attacks. + +The number of changed +characters refers to the number of changes required with respect to the total number of +positions in the current password. In other words, characters may be the same within the two +passwords; however, the positions of the like characters must be different. + +If the +password length is an odd number then number of changed characters must be rounded up. For +example, a password length of 15 characters must require the change of at least 8 characters. " + desc "check", "Verify the Ubuntu operating system requires the change of at least eight characters when +passwords are changed. + +Determine if the field \"difok\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"difok\" +/etc/security/pwquality.conf +difok=8 + +If the \"difok\" parameter is less than \"8\" or is +commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to require the change of at least eight characters when +passwords are changed. + +Add or update the \"/etc/security/pwquality.conf\" file to include +the \"difok=8\" parameter: + +difok=8 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000072-GPOS-00040 " + tag gid: "V-238224 " + tag rid: "SV-238224r653847_rule " + tag stig_id: "UBTU-20-010053 " + tag fix_id: "F-41393r653846_fix " + tag cci: ["CCI-000195"] + tag nist: ["IA-5 (1) (b)"] +end \ No newline at end of file diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb new file mode 100644 index 0000000..3626a37 --- /dev/null +++ b/controls/SV-238225.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238225" do + title "The Ubuntu operating system must enforce a minimum 15-character password length. " + desc "The shorter the password, the lower the number of possible combinations that need to be tested +before the password is compromised. + +Password complexity, or strength, is a measure of the +effectiveness of a password in resisting attempts at guessing and brute-force attacks. +Password length is one factor of several that helps to determine strength and how long it takes +to crack a password. Use of more characters in a password helps to exponentially increase the +time and/or resources required to compromise the password. " + desc "check", "Verify the pwquality configuration file enforces a minimum 15-character password length by +running the following command: + +$ grep -i minlen +/etc/security/pwquality.conf +minlen=15 + +If \"minlen\" parameter value is not \"15\" or +higher or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce a minimum 15-character password length. + + +Add or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file: + + +minlen=15 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000078-GPOS-00046 " + tag gid: "V-238225 " + tag rid: "SV-238225r832942_rule " + tag stig_id: "UBTU-20-010054 " + tag fix_id: "F-41394r653849_fix " + tag cci: ["CCI-000205"] + tag nist: ["IA-5 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb new file mode 100644 index 0000000..8ad6fa7 --- /dev/null +++ b/controls/SV-238226.rb @@ -0,0 +1,42 @@ +# encoding: UTF-8 + +control "SV-238226" do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one +special character be used. " + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity or strength is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor in determining how long it takes to crack a password. The more complex the password, the +greater the number of possible combinations that need to be tested before the password is +compromised. + +Special characters are those characters that are not alphanumeric. +Examples include: ~ ! @ # $ % ^ *. " + desc "check", "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the +following command: + +$ grep -i \"ocredit\" /etc/security/pwquality.conf +ocredit=-1 + +If +the \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at +least one special character be used. + +Add or update the following line in the +\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter: + + +ocredit=-1 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000266-GPOS-00101 " + tag gid: "V-238226 " + tag rid: "SV-238226r653853_rule " + tag stig_id: "UBTU-20-010055 " + tag fix_id: "F-41395r653852_fix " + tag cci: ["CCI-001619"] + tag nist: ["IA-5 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb new file mode 100644 index 0000000..94deb66 --- /dev/null +++ b/controls/SV-238227.rb @@ -0,0 +1,34 @@ +# encoding: UTF-8 + +control "SV-238227" do + title "The Ubuntu operating system must prevent the use of dictionary words for passwords. " + desc "If the Ubuntu operating system allows the user to select passwords based on dictionary words, +then this increases the chances of password compromise by increasing the opportunity for +successful guesses and brute-force attacks. " + desc "check", "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of +dictionary words with the following command: + +$ grep dictcheck +/etc/security/pwquality.conf + +dictcheck=1 + +If the \"dictcheck\" parameter is not set to +\"1\" or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. + + +Add or update the following line in the \"/etc/security/pwquality.conf\" file to include the +\"dictcheck=1\" parameter: + +dictcheck=1 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00225 " + tag gid: "V-238227 " + tag rid: "SV-238227r653856_rule " + tag stig_id: "UBTU-20-010056 " + tag fix_id: "F-41396r653855_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb new file mode 100644 index 0000000..5afecd8 --- /dev/null +++ b/controls/SV-238228.rb @@ -0,0 +1,79 @@ +# encoding: UTF-8 + +control "SV-238228" do + title "The Ubuntu operating system must be configured so that when passwords are changed or new +passwords are established, pwquality must be used. " + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex +password construction configuration and has the ability to limit brute-force attacks on the +system. " + desc "check", "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running +the following command: + +$ dpkg -l libpam-pwquality + +ii libpam-pwquality:amd64 1.4.0-2 +amd64 PAM module to check password strength + +If \"libpam-pwquality\" is not installed, this +is a finding. + +Verify that the operating system uses \"pwquality\" to enforce the password +complexity rules. + +Verify the pwquality module is being enforced by the Ubuntu operating +system by running the following command: + +$ grep -i enforcing +/etc/security/pwquality.conf + +enforcing = 1 + +If the value of \"enforcing\" is not \"1\" or the +line is commented out, this is a finding. + +Check for the use of \"pwquality\" with the following +command: + +$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality + + +password requisite pam_pwquality.so retry=3 + +If no output is returned or the line is +commented out, this is a finding. + +If the value of \"retry\" is set to \"0\" or greater than \"3\", +this is a finding. " + desc "fix", "Configure the operating system to use \"pwquality\" to enforce password complexity rules. + + +Install the \"pam_pwquality\" package by using the following command: + +$ sudo apt-get +install libpam-pwquality -y + +Add the following line to \"/etc/security/pwquality.conf\" +(or modify the line to have the required value): + +enforcing = 1 + +Add the following line to +\"/etc/pam.d/common-password\" (or modify the line to have the required value): + +password +requisite pam_pwquality.so retry=3 + +Note: The value of \"retry\" should be between \"1\" and +\"3\". " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00225 " + tag gid: "V-238228 " + tag rid: "SV-238228r653859_rule " + tag stig_id: "UBTU-20-010057 " + tag fix_id: "F-41397r653858_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb new file mode 100644 index 0000000..e69d4cc --- /dev/null +++ b/controls/SV-238229.rb @@ -0,0 +1,69 @@ +# encoding: UTF-8 + +control "SV-238229" do + title "The Ubuntu operating system, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an accepted trust +anchor. " + desc "Without path validation, an informed trust decision by the relying party cannot be made when +presented with any certificate not already explicitly trusted. + +A trust anchor is an +authoritative entity represented via a public key and associated data. It is used in the +context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When +there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can +be, for example, a Certification Authority (CA). A certification path starts with the +subject certificate and proceeds through a number of intermediate certificates up to a +trusted root certificate, typically issued by a trusted CA. + +This requirement verifies +that a certification path to an accepted trust anchor is used for certificate validation and +that the path includes status information. Path validation is necessary for a relying party +to make an informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes certificate +revocation lists or online certificate status protocol responses. Validation of the +certificate status information is out of scope for this requirement. " + desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates +by constructing a certification path to an accepted trust anchor. + +Determine which pkcs11 +module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" +and then ensure \"ca\" is enabled in \"cert_policy\" with the following command: + +$ sudo grep +use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc +{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca + +cert_policy = +ca,signature,ocsp_on; + +If \"cert_policy\" is not set to \"ca\" or the line is commented out, +this is a finding. " + desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to validate +certificates by constructing a certification path to an accepted trust anchor. + +Determine +which pkcs11 module is being used via the \"use_pkcs11_module\" in +\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\". + +Add or +update the \"cert_policy\" to ensure \"ca\" is enabled: + +cert_policy = ca,signature,ocsp_on; + + +If the system is missing an \"/etc/pam_pkcs11/\" directory and an +\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify +accordingly at +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000066-GPOS-00034 " + tag gid: "V-238229 " + tag rid: "SV-238229r653862_rule " + tag stig_id: "UBTU-20-010060 " + tag fix_id: "F-41398r653861_fix " + tag cci: ["CCI-000185"] + tag nist: ["IA-5 (2) (b) (1)"] +end \ No newline at end of file diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb new file mode 100644 index 0000000..ff45bed --- /dev/null +++ b/controls/SV-238230.rb @@ -0,0 +1,55 @@ +# encoding: UTF-8 + +control "SV-238230" do + title "The Ubuntu operating system must implement multifactor authentication for remote access to +privileged accounts in such a way that one of the factors is provided by a device separate from +the system gaining access. " + desc "Using an authentication device, such as a CAC or token that is separate from the information +system, ensures that even if the information system is compromised, that compromise will not +affect credentials stored on the authentication device. + +Multifactor solutions that +require devices separate from information systems gaining access include, for example, +hardware tokens providing time-based or challenge-response authenticators and smart +cards such as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + +A privileged account is defined as an information system account with +authorizations of a privileged user. + +Remote access is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +This requirement only applies to components where this +is specific to the function of the device or has the concept of an organizational user (e.g., +VPN, proxy capability). This does not apply to authentication for the purpose of configuring +the device itself (management). " + desc "check", "Verify the Ubuntu operating system has the packages required for multifactor +authentication installed with the following commands: + +$ dpkg -l | grep libpam-pkcs11 + +ii +libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards + +If the +\"libpam-pkcs11\" package is not installed, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to implement multifactor authentication by +installing the required packages. + +Install the \"libpam-pkcs11\" package on the system with +the following command: + +$ sudo apt install libpam-pkcs11 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000375-GPOS-00160 " + tag gid: "V-238230 " + tag rid: "SV-238230r853410_rule " + tag stig_id: "UBTU-20-010063 " + tag fix_id: "F-41399r653864_fix " + tag cci: ["CCI-001948"] + tag nist: ["IA-2 (11)"] +end \ No newline at end of file diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb new file mode 100644 index 0000000..2531ef4 --- /dev/null +++ b/controls/SV-238231.rb @@ -0,0 +1,41 @@ +# encoding: UTF-8 + +control "SV-238231" do + title "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. " + desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security +systems. " + desc "check", "Verify the Ubuntu operating system accepts PIV credentials. + +Verify the \"opensc-pcks11\" +package is installed on the system with the following command: + +$ dpkg -l | grep +opensc-pkcs11 + +ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with +support for PKCS#15 compatible cards + +If the \"opensc-pcks11\" package is not installed, +this is a finding. " + desc "fix", "Configure the Ubuntu operating system to accept PIV credentials. + +Install the +\"opensc-pkcs11\" package using the following command: + +$ sudo apt-get install +opensc-pkcs11 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000376-GPOS-00161 " + tag gid: "V-238231 " + tag rid: "SV-238231r853411_rule " + tag stig_id: "UBTU-20-010064 " + tag fix_id: "F-41400r653867_fix " + tag cci: ["CCI-001953"] + tag nist: ["IA-2 (12)"] +end \ No newline at end of file diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb new file mode 100644 index 0000000..2cef0a1 --- /dev/null +++ b/controls/SV-238232.rb @@ -0,0 +1,41 @@ +# encoding: UTF-8 + +control "SV-238232" do + title "The Ubuntu operating system must electronically verify Personal Identity Verification +(PIV) credentials. " + desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security +systems. " + desc "check", "Verify the Ubuntu operating system electronically verifies PIV credentials. + +Verify that +certificate status checking for multifactor authentication is implemented with the +following command: + +$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | +awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | +grep ocsp_on + +cert_policy = ca,signature,ocsp_on; + +If \"cert_policy\" is not set to +\"ocsp_on\", or the line is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to do certificate status checking for multifactor +authentication. + +Modify all of the \"cert_policy\" lines in +\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\". " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000377-GPOS-00162 " + tag gid: "V-238232 " + tag rid: "SV-238232r853412_rule " + tag stig_id: "UBTU-20-010065 " + tag fix_id: "F-41401r653870_fix " + tag cci: ["CCI-001954"] + tag nist: ["IA-2 (12)"] +end \ No newline at end of file diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb new file mode 100644 index 0000000..0bcbfea --- /dev/null +++ b/controls/SV-238233.rb @@ -0,0 +1,44 @@ +# encoding: UTF-8 + +control "SV-238233" do + title "The Ubuntu operating system for PKI-based authentication, must implement a local cache of +revocation data in case of the inability to access revocation information via the network. " + desc "Without configuring a local cache of revocation data, there is the potential to allow access +to users who are no longer authorized (users with revoked certificates). " + desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation +data when unable to access it from the network. + +Verify that \"crl_offline\" or \"crl_auto\" is +part of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the +following command: + +# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- +'crl_auto|crl_offline' + +cert_policy = ca,signature,ocsp_on,crl_auto; + +If +\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding. " + desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to use local +revocation data when unable to access the network to obtain it remotely. + +Add or update the +\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or +\"crl_offline\". + +cert_policy = ca,signature,ocsp_on, crl_auto; + +If the system is +missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find +an example to copy into place and modify accordingly at +\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000384-GPOS-00167 " + tag gid: "V-238233 " + tag rid: "SV-238233r853413_rule " + tag stig_id: "UBTU-20-010066 " + tag fix_id: "F-41402r653873_fix " + tag cci: ["CCI-001991"] + tag nist: ["IA-5 (2) (d)"] +end \ No newline at end of file diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb new file mode 100644 index 0000000..3747d33 --- /dev/null +++ b/controls/SV-238234.rb @@ -0,0 +1,41 @@ +# encoding: UTF-8 + +control "SV-238234" do + title "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. " + desc "Password complexity, or strength, is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. If the information system or +application allows the user to consecutively reuse their password when that password has +exceeded its defined lifetime, the end result is a password that is not changed as per policy +requirements. + + " + desc "check", "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five +generations by running the following command: + +$ grep -i remember +/etc/pam.d/common-password + +password [success=1 default=ignore] pam_unix.so obscure +sha512 shadow remember=5 rounds=5000 + +If the \"remember\" parameter value is not greater +than or equal to \"5\", is commented out, or is not set at all, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of +five generations. + +Add or modify the \"remember\" parameter value to the following line in +\"/etc/pam.d/common-password\" file: + +password [success=1 default=ignore] pam_unix.so +obscure sha512 shadow remember=5 rounds=5000 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000077-GPOS-00045 " + tag satisfies: ["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"] + tag gid: "V-238234 " + tag rid: "SV-238234r832945_rule " + tag stig_id: "UBTU-20-010070 " + tag fix_id: "F-41403r832944_fix " + tag cci: ["CCI-000196","CCI-000200"] + tag nist: ["IA-5 (1) (c)","IA-5 (1) (e)"] +end \ No newline at end of file diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb new file mode 100644 index 0000000..0ea295d --- /dev/null +++ b/controls/SV-238235.rb @@ -0,0 +1,75 @@ +# encoding: UTF-8 + +control "SV-238235" do + title "The Ubuntu operating system must automatically lock an account until the locked account is +released by an administrator when three unsuccessful logon attempts have been made. " + desc "By limiting the number of failed logon attempts, the risk of unauthorized system access via +user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by +locking the account. + + " + desc "check", "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the +following command: +$ grep faillock /etc/pam.d/common-auth + +auth [default=die] +pam_faillock.so authfail +auth sufficient pam_faillock.so authsucc + +If the +pam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a +finding. + +Verify the pam_faillock module is configured to use the following options: +$ +sudo egrep 'silent|audit|deny|fail_interval| unlock_time' +/etc/security/faillock.conf + +audit +silent +deny = 3 +fail_interval = 900 +unlock_time = +0 + +If the \"silent\" keyword is missing or commented out, this is a finding. +If the \"audit\" +keyword is missing or commented out, this is a finding. +If the \"deny\" keyword is missing, +commented out, or set to a value greater than 3, this is a finding. +If the \"fail_interval\" +keyword is missing, commented out, or set to a value greater than 900, this is a finding. +If the +\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module. + +Edit the +/etc/pam.d/common-auth file. + +Add the following lines below the \"auth\" definition for +pam_unix.so: +auth [default=die] pam_faillock.so authfail +auth sufficient +pam_faillock.so authsucc + +Configure the \"pam_faillock\" module to use the following +options: + +Edit the /etc/security/faillock.conf file and add/update the following +keywords and values: +audit +silent +deny = 3 +fail_interval = 900 +unlock_time = 0 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000329-GPOS-00128 " + tag satisfies: ["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"] + tag gid: "V-238235 " + tag rid: "SV-238235r853414_rule " + tag stig_id: "UBTU-20-010072 " + tag fix_id: "F-41404r802382_fix " + tag cci: ["CCI-000044","CCI-002238"] + tag nist: ["AC-7 a","AC-7 b"] +end \ No newline at end of file diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb new file mode 100644 index 0000000..5425c3d --- /dev/null +++ b/controls/SV-238236.rb @@ -0,0 +1,76 @@ +# encoding: UTF-8 + +control "SV-238236" do + title "The Ubuntu operating system must be configured so that the script which runs each 30 days or +less to check file integrity is the default one. " + desc "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +Notifications +provided by information systems include, for example, electronic alerts to System +Administrators, messages to local computer consoles, and/or hardware indications, such as +lights. + +This requirement applies to the Ubuntu operating system performing security +function verification/testing and/or systems and environments that require this +functionality. " + desc "check", "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to +check file integrity each 30 days or less is unchanged. + +Download the original aide-common +package in the /tmp directory: + +$ cd /tmp; apt download aide-common + +Fetch the SHA1 of the +original script file: + +$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO +./usr/share/aide/config/cron.daily/aide | sha1sum + +32958374f18871e3f7dda27a58d721f471843e26 - + +Compare with the SHA1 of the file in the +daily or monthly cron directory: + +$ sha1sum /etc/cron.{daily,monthly}/aide +2>/dev/null +32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide + +If +there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the +daily or monthly cron directory does not match the SHA1 of the original, this is a finding. " + desc "fix", "The cron file for AIDE is fairly complex as it creates the report. This file is installed with +the \"aide-common\" package, and the default can be restored by copying it from the package: + + +Download the original package to the /tmp dir: + +$ cd /tmp; apt download aide-common + + +Extract the aide script to its original place: + +$ dpkg-deb --fsys-tarfile +/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C / + + +Copy it to the cron.daily directory: + +$ sudo cp -f +/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000446-GPOS-00200 " + tag gid: "V-238236 " + tag rid: "SV-238236r853415_rule " + tag stig_id: "UBTU-20-010074 " + tag fix_id: "F-41405r653882_fix " + tag cci: ["CCI-002699"] + tag nist: ["SI-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb new file mode 100644 index 0000000..fce42a0 --- /dev/null +++ b/controls/SV-238237.rb @@ -0,0 +1,35 @@ +# encoding: UTF-8 + +control "SV-238237" do + title "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts +following a failed logon attempt. " + desc "Limiting the number of logon attempts over a certain time interval reduces the chances that an +unauthorized user may gain access to an account. " + desc "check", "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon +prompts following a failed logon attempt with the following command: + +$ grep pam_faildelay +/etc/pam.d/common-auth + +auth required pam_faildelay.so delay=4000000 + +If the line is +not present or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon +prompts following a failed logon attempt. + +Edit the file \"/etc/pam.d/common-auth\" and set +the parameter \"pam_faildelay\" to a value of 4000000 or greater: + +auth required +pam_faildelay.so delay=4000000 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000480-GPOS-00226 " + tag gid: "V-238237 " + tag rid: "SV-238237r653886_rule " + tag stig_id: "UBTU-20-010075 " + tag fix_id: "F-41406r653885_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb new file mode 100644 index 0000000..7c4757e --- /dev/null +++ b/controls/SV-238238.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238238" do + title "The Ubuntu operating system must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/passwd. " + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. + + " + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/passwd\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +passwd + +-w /etc/passwd -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/passwd\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/passwd -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo +augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"] + tag gid: "V-238238 " + tag rid: "SV-238238r853416_rule " + tag stig_id: "UBTU-20-010100 " + tag fix_id: "F-41407r653888_fix " + tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] + tag nist: ["AC-2 (4)","AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb new file mode 100644 index 0000000..9c2cc43 --- /dev/null +++ b/controls/SV-238239.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238239" do + title "The Ubuntu operating system must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/group. " + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. + + " + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/group\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +group + +-w /etc/group -p wa -k usergroup_modification + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/group\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/group -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo +augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] + tag gid: "V-238239 " + tag rid: "SV-238239r853417_rule " + tag stig_id: "UBTU-20-010101 " + tag fix_id: "F-41408r653891_fix " + tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] + tag nist: ["AC-2 (4)","AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb new file mode 100644 index 0000000..9b26fa0 --- /dev/null +++ b/controls/SV-238240.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238240" do + title "The Ubuntu operating system must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/shadow. " + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. + + " + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/shadow\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +shadow + +-w /etc/shadow -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/shadow\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/shadow -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo +augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] + tag gid: "V-238240 " + tag rid: "SV-238240r853418_rule " + tag stig_id: "UBTU-20-010102 " + tag fix_id: "F-41409r653894_fix " + tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] + tag nist: ["AC-2 (4)","AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb new file mode 100644 index 0000000..fce4b5d --- /dev/null +++ b/controls/SV-238241.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238241" do + title "The Ubuntu operating system must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/gshadow. " + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. + + " + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/gshadow\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +gshadow + +-w /etc/gshadow -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/gshadow\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/gshadow -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo +augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] + tag gid: "V-238241 " + tag rid: "SV-238241r853419_rule " + tag stig_id: "UBTU-20-010103 " + tag fix_id: "F-41410r653897_fix " + tag cci: ["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] + tag nist: ["AU-12 c","AC-2 (4)"] +end \ No newline at end of file diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb new file mode 100644 index 0000000..609a0ae --- /dev/null +++ b/controls/SV-238242.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238242" do + title "The Ubuntu operating system must generate audit records for all account creations, +modifications, disabling, and termination events that affect /etc/opasswd. " + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. + + " + desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/security/opasswd\". + + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l +| grep opasswd + +-w /etc/security/opasswd -p wa -k usergroup_modification + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does +not need to match the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/security/opasswd\". + + +Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w +/etc/security/opasswd -p wa -k usergroup_modification + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000004-GPOS-00004 " + tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] + tag gid: "V-238242 " + tag rid: "SV-238242r853420_rule " + tag stig_id: "UBTU-20-010104 " + tag fix_id: "F-41411r653900_fix " + tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] + tag nist: ["AC-2 (4)","AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb new file mode 100644 index 0000000..0a795a0 --- /dev/null +++ b/controls/SV-238243.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238243" do + title "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit +processing failure. " + desc "It is critical for the appropriate personnel to be aware if a system is at risk of failing to +process audit logs as required. Without this notification, the security personnel may be +unaware of an impending failure of the audit capability, and system operation may be +adversely affected. + +Audit processing failures include software/hardware errors, +failures in the audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct +information system component where audit records are stored), the centralized audit +storage capacity of organizations (i.e., all audit data storage repositories combined), or +both. " + desc "check", "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing +failure with the following command: + +$ sudo grep '^action_mail_acct = root' +/etc/audit/auditd.conf + +action_mail_acct = <administrator_account> + +If the +value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the +\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a +finding. " + desc "fix", "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing +failure. + +Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators +are notified via email for those situations: + +action_mail_acct = +<administrator_account> + +Note: Change \"administrator_account\" to an account for +security personnel. + +Restart the \"auditd\" service so the changes take effect: + +$ sudo +systemctl restart auditd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000046-GPOS-00022 " + tag gid: "V-238243 " + tag rid: "SV-238243r653904_rule " + tag stig_id: "UBTU-20-010117 " + tag fix_id: "F-41412r653903_fix " + tag cci: ["CCI-000139"] + tag nist: ["AU-5 a"] +end \ No newline at end of file diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb new file mode 100644 index 0000000..da3f43d --- /dev/null +++ b/controls/SV-238244.rb @@ -0,0 +1,59 @@ +# encoding: UTF-8 + +control "SV-238244" do + title "The Ubuntu operating system must shut down by default upon audit failure (unless +availability is an overriding concern). " + desc "It is critical that when the operating system is at risk of failing to process audit logs as +required, it takes action to mitigate the failure. Audit processing failures include: +software/hardware errors; failures in the audit capturing mechanisms; and audit storage +capacity being reached or exceeded. Responses to audit failure depend upon the nature of the +failure mode. + +When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit +record storage capacity, the operating system must continue generating audit records if +possible (automatically restarting the audit service if necessary), overwriting the +oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a +centralized collection server and communication with this server is lost or the server +fails, the operating system must queue audit records locally until communication is +restored or until the audit records are retrieved manually. Upon restoration of the +connection to the centralized collection server, action should be taken to synchronize the +local audit data with the collection server. " + desc "check", "Verify the Ubuntu operating system takes the appropriate action when the audit storage +volume is full with the following command: + +$ sudo grep '^disk_full_action' +/etc/audit/auditd.conf + +disk_full_action = HALT + +If the value of the +\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented +out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to shut down by default upon audit failure (unless +availability is an overriding concern). + +Add or update the following line (depending on +configuration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in +\"/etc/audit/auditd.conf\" file: + +disk_full_action = HALT + +Restart the \"auditd\" service +so the changes take effect: + +$ sudo systemctl restart auditd.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000047-GPOS-00023 " + tag gid: "V-238244 " + tag rid: "SV-238244r653907_rule " + tag stig_id: "UBTU-20-010118 " + tag fix_id: "F-41413r653906_fix " + tag cci: ["CCI-000140"] + tag nist: ["AU-5 b"] +end \ No newline at end of file diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb new file mode 100644 index 0000000..ba4c75c --- /dev/null +++ b/controls/SV-238245.rb @@ -0,0 +1,57 @@ +# encoding: UTF-8 + +control "SV-238245" do + title "The Ubuntu operating system must be configured so that audit log files are not read or +write-accessible by unauthorized users. " + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity. + + " + desc "check", "Verify that the audit log files have a mode of \"0600\" or less permissive. + +Determine where the +audit logs are stored with the following command: + +$ sudo grep -iw log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, determine if the audit log files have a mode of \"0600\" or +less by using the following command: + +$ sudo stat -c \"%n %a\" /var/log/audit/* + +/var/log/audit/audit.log 600 + +If the audit log files have a mode more permissive than +\"0600\", this is a finding. " + desc "fix", "Configure the audit log files to have a mode of \"0600\" or less permissive. + +Determine where +the audit logs are stored with the following command: + +$ sudo grep -iw log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, configure the audit log files to have a mode of \"0600\" or +less permissive by using the following command: + +$ sudo chmod 0600 /var/log/audit/* " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"] + tag gid: "V-238245 " + tag rid: "SV-238245r653910_rule " + tag stig_id: "UBTU-20-010122 " + tag fix_id: "F-41414r653909_fix " + tag cci: ["CCI-000162","CCI-000163"] + tag nist: ["AU-9 a"] +end \ No newline at end of file diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb new file mode 100644 index 0000000..60e7cc3 --- /dev/null +++ b/controls/SV-238246.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238246" do + title "The Ubuntu operating system must be configured to permit only authorized users ownership of +the audit log files. " + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity. + + " + desc "check", "Verify the audit log files are owned by \"root\" account. + +Determine where the audit logs are +stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Using the path of the directory containing the +audit logs, determine if the audit log files are owned by the \"root\" user by using the following +command: + +$ sudo stat -c \"%n %U\" /var/log/audit/* +/var/log/audit/audit.log root + +If the +audit log files are owned by an user other than \"root\", this is a finding. " + desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" user. + + +Determine where the audit logs are stored with the following command: + +$ sudo grep -iw +log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path +of the directory containing the audit logs, configure the audit log files to be owned by \"root\" +user by using the following command: + +$ sudo chown root /var/log/audit/* " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"] + tag gid: "V-238246 " + tag rid: "SV-238246r653913_rule " + tag stig_id: "UBTU-20-010123 " + tag fix_id: "F-41415r653912_fix " + tag cci: ["CCI-000162"] + tag nist: ["AU-9 a"] +end \ No newline at end of file diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb new file mode 100644 index 0000000..7d1f7a9 --- /dev/null +++ b/controls/SV-238247.rb @@ -0,0 +1,60 @@ +# encoding: UTF-8 + +control "SV-238247" do + title "The Ubuntu operating system must permit only authorized groups ownership of the audit log +files. " + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit operating system activity. + + " + desc "check", "Verify the group owner is set to own newly created audit logs in the audit configuration file +with the following command: +$ sudo grep -iw log_group /etc/audit/auditd.conf +log_group = +root + +If the value of the \"log_group\" parameter is other than \"root\", this is a +finding. + +Determine where the audit logs are stored with the following command: +$ sudo grep +-iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the +path of the directory containing the audit logs, determine if the audit log files are owned by +the \"root\" group by using the following command: +$ sudo stat -c \"%n %G\" /var/log/audit/* + +/var/log/audit/audit.log root + +If the audit log files are owned by a group other than +\"root\", this is a finding. " + desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" group. + +Set +the \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log +file is created, its group owner is properly set: +$ sudo sed -i '/^log_group/D' +/etc/audit/auditd.conf +$ sudo sed -i /^log_file/a'log_group = root' +/etc/audit/auditd.conf + +Last, signal the audit daemon to reload the configuration file to +update the group owners of existing files: +$ sudo systemctl kill auditd -s SIGHUP " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000057-GPOS-00027 " + tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"] + tag gid: "V-238247 " + tag rid: "SV-238247r832947_rule " + tag stig_id: "UBTU-20-010124 " + tag fix_id: "F-41416r832946_fix " + tag cci: ["CCI-000162"] + tag nist: ["AU-9 a"] +end \ No newline at end of file diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb new file mode 100644 index 0000000..7d75510 --- /dev/null +++ b/controls/SV-238248.rb @@ -0,0 +1,62 @@ +# encoding: UTF-8 + +control "SV-238248" do + title "The Ubuntu operating system must be configured so that the audit log directory is not +write-accessible by unauthorized users. " + desc "If audit information were to become compromised, then forensic analysis and discovery of the +true source of potentially malicious system activity is impossible to achieve. + +To ensure +the veracity of audit information, the operating system must protect audit information from +unauthorized deletion. This requirement can be achieved through multiple methods, which +will depend upon system architecture and design. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully +audit information system activity. " + desc "check", "Verify that the audit log directory has a mode of \"0750\" or less permissive. + +Determine where +the audit logs are stored with the following command: + +$ sudo grep -iw ^log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, determine if the directory has a mode of \"0750\" or less by +using the following command: + +$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/* + +/var/log/audit 750 +/var/log/audit/audit.log 600 + +If the audit log directory has a mode +more permissive than \"0750\", this is a finding. " + desc "fix", "Configure the audit log directory to have a mode of \"0750\" or less permissive. + +Determine +where the audit logs are stored with the following command: + +$ sudo grep -iw ^log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, configure the audit log directory to have a mode of +\"0750\" or less permissive by + using the following command: + +$ sudo chmod -R g-w,o-rwx +/var/log/audit " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000059-GPOS-00029 " + tag gid: "V-238248 " + tag rid: "SV-238248r653919_rule " + tag stig_id: "UBTU-20-010128 " + tag fix_id: "F-41417r653918_fix " + tag cci: ["CCI-000164"] + tag nist: ["AU-9 a"] +end \ No newline at end of file diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb new file mode 100644 index 0000000..747bfb8 --- /dev/null +++ b/controls/SV-238249.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238249" do + title "The Ubuntu operating system must be configured so that audit configuration files are not +write-accessible by unauthorized users. " + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one. " + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the +following command: + +$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + + +-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 +audit.rules + +-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root +root 127 Feb 7 2018 audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If +\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file +have a mode more permissive than \"0640\", this is a finding. " + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command: + +$ +sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238249 " + tag rid: "SV-238249r653922_rule " + tag stig_id: "UBTU-20-010133 " + tag fix_id: "F-41418r653921_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] +end \ No newline at end of file diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb new file mode 100644 index 0000000..0b0b77a --- /dev/null +++ b/controls/SV-238250.rb @@ -0,0 +1,66 @@ +# encoding: UTF-8 + +control "SV-238250" do + title "The Ubuntu operating system must permit only authorized accounts to own the audit +configuration files. " + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one. " + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +\"/etc/audit/auditd.conf\" files are owned by root account by using the following command: + + +$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + +drwxr-x--- 3 root root +4096 Nov 25 11:02 . + +drwxr-xr-x 130 root root 12288 Dec 19 13:42 .. + +-rw-r----- 1 root root 804 +Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules + +-rw-r----- +1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root root 127 Feb 7 2018 +audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +drwxr-x--- 2 root root 4096 Dec 27 09:56 . + +drwxr-x--- 3 root root +4096 Nov 25 11:02 .. + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If the +\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file +is owned by a user other than \"root\", this is a finding. " + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command: + +$ +sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238250 " + tag rid: "SV-238250r653925_rule " + tag stig_id: "UBTU-20-010134 " + tag fix_id: "F-41419r653924_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] +end \ No newline at end of file diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb new file mode 100644 index 0000000..583de2b --- /dev/null +++ b/controls/SV-238251.rb @@ -0,0 +1,56 @@ +# encoding: UTF-8 + +control "SV-238251" do + title "The Ubuntu operating system must permit only authorized groups to own the audit +configuration files. " + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and +investigate the events relating to an incident or identify those responsible for one. " + desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files are owned by root group by using the following command: + +$ +sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + +-rw-r----- 1 root root 804 +Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules + +-rw-r----- +1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root root 127 Feb 7 2018 +audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If the +\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file +is owned by a group other than \"root\", this is a finding. " + desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command: + +$ +sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000063-GPOS-00032 " + tag gid: "V-238251 " + tag rid: "SV-238251r653928_rule " + tag stig_id: "UBTU-20-010135 " + tag fix_id: "F-41420r653927_fix " + tag cci: ["CCI-000171"] + tag nist: ["AU-12 b"] +end \ No newline at end of file diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb new file mode 100644 index 0000000..9ce1073 --- /dev/null +++ b/controls/SV-238252.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238252" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the su command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"su\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/bin/su' + +-a always,exit -F path=/bin/su -F perm=x -F +auid>=1000 -F auid!=4294967295 -k privileged-priv_change + +If the command does not +return lines that match the example or the lines are commented out, this is a finding. + +Note: +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need +to match the example output above. " + desc "fix", "Configure the Ubuntu operating system to generate audit records when +successful/unsuccessful attempts to use the \"su\" command occur. + +Add or update the +following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change + + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238252 " + tag rid: "SV-238252r653931_rule " + tag stig_id: "UBTU-20-010136 " + tag fix_id: "F-41421r653930_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb new file mode 100644 index 0000000..7dcabee --- /dev/null +++ b/controls/SV-238253.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238253" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chfn command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"chfn\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/usr/bin/chfn' + +-a always,exit -F +path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string +after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"chfn\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chfn -F perm=x +-F auid>=1000 -F auid!=4294967295 -k privileged-chfn + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238253 " + tag rid: "SV-238253r653934_rule " + tag stig_id: "UBTU-20-010137 " + tag fix_id: "F-41422r653933_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb new file mode 100644 index 0000000..57b8cc5 --- /dev/null +++ b/controls/SV-238254.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238254" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the mount command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"mount\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/usr/bin/mount' + +-a always,exit -F +path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string +after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"mount\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/mount -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238254 " + tag rid: "SV-238254r653937_rule " + tag stig_id: "UBTU-20-010138 " + tag fix_id: "F-41423r653936_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb new file mode 100644 index 0000000..a384bf1 --- /dev/null +++ b/controls/SV-238255.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238255" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the umount command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify if the Ubuntu operating system generates audit records upon +successful/unsuccessful attempts to use the \"umount\" command. + +Check the configured +audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/umount' + +-a +always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-umount + +If the command does not return lines that match the example or the lines +are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"umount\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/umount -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238255 " + tag rid: "SV-238255r653940_rule " + tag stig_id: "UBTU-20-010139 " + tag fix_id: "F-41424r653939_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb new file mode 100644 index 0000000..9447822 --- /dev/null +++ b/controls/SV-238256.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238256" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the ssh-agent command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"ssh-agent\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep '/usr/bin/ssh-agent' + +-a always,exit -F +path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string +after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"ssh-agent\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/ssh-agent -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh + +To reload the rules file, +issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238256 " + tag rid: "SV-238256r653943_rule " + tag stig_id: "UBTU-20-010140 " + tag fix_id: "F-41425r653942_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb new file mode 100644 index 0000000..2daa8ab --- /dev/null +++ b/controls/SV-238257.rb @@ -0,0 +1,53 @@ +# encoding: UTF-8 + +control "SV-238257" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the ssh-keysign command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"ssh-keysign\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F +path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-ssh + +If the command does not return lines that match the example or the lines are +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"ssh-keysign\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k +privileged-ssh + +To reload the rules file, issue the following command: + +$ sudo augenrules +--load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238257 " + tag rid: "SV-238257r653946_rule " + tag stig_id: "UBTU-20-010141 " + tag fix_id: "F-41426r653945_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb new file mode 100644 index 0000000..c2e6d00 --- /dev/null +++ b/controls/SV-238258.rb @@ -0,0 +1,88 @@ +# encoding: UTF-8 + +control "SV-238258" do + title "The Ubuntu operating system must generate audit records for any use of the setxattr, +fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", +\"fremovexattr\", and \"lremovexattr\" system calls. + +Check the currently configured audit +rules with the following command: + +$ sudo auditctl -l | grep xattr + +-a always,exit -F +arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod + +If the command does not return audit rules for the \"setxattr\", \"fsetxattr\", +\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are +commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and +\"lremovexattr\" system calls. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod + +Note: For 32-bit architectures, only the 32-bit specific entries are required. + + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] + tag gid: "V-238258 " + tag rid: "SV-238258r808474_rule " + tag stig_id: "UBTU-20-010142 " + tag fix_id: "F-41427r808473_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb new file mode 100644 index 0000000..9a6eaad --- /dev/null +++ b/controls/SV-238264.rb @@ -0,0 +1,73 @@ +# encoding: UTF-8 + +control "SV-238264" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chown, fchown, fchownat, and lchown system calls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Check the +configured audit rules with the following commands: + +$ sudo auditctl -l | grep chown + +-a +always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k +perm_chng +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 +-F auid!=-1 -k perm_chng + +If the command does not return audit rules for the \"chown\", +\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a +finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the +commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the +string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Add or update the following +rules in the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S +chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a +always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F +auid!=4294967295 -k perm_chng + +Note: For 32-bit architectures, only the 32-bit specific +entries are required. + +To reload the rules file, issue the following command: + +$ sudo +augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] + tag gid: "V-238264 " + tag rid: "SV-238264r808477_rule " + tag stig_id: "UBTU-20-010148 " + tag fix_id: "F-41433r808476_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb new file mode 100644 index 0000000..385c2d7 --- /dev/null +++ b/controls/SV-238268.rb @@ -0,0 +1,72 @@ +# encoding: UTF-8 + +control "SV-238268" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chmod, fchmod, and fchmodat system calls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Check the configured +audit rules with the following commands: + +$ sudo auditctl -l | grep chmod + +-a always,exit -F +arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng +-a +always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k +perm_chng + +If the command does not return audit rules for the \"chmod\", \"fchmod\" and +\"fchmodat\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit +architectures, only the 32-bit specific output lines from the commands are required. +The +\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to +match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Add or update the following rules in +the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S +chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit +-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng + + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To +reload the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] + tag gid: "V-238268 " + tag rid: "SV-238268r808480_rule " + tag stig_id: "UBTU-20-010152 " + tag fix_id: "F-41437r808479_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb new file mode 100644 index 0000000..6a5b91d --- /dev/null +++ b/controls/SV-238271.rb @@ -0,0 +1,89 @@ +# encoding: UTF-8 + +control "SV-238271" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to +use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" +system calls. + +Check the configured audit rules with the following commands: + +$ sudo +auditctl -l | grep 'open\\|truncate\\|creat' + +-a always,exit -F arch=b32 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b32 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=-1 -k perm_access + +If the command does not return audit rules for the +\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or +the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the +32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying +an arbitrary identifier, and the string after it does not need to match the example output +above. " + desc "fix", "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", +\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. + +Add +or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a +always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F +exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F +arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES +-F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=4294967295 -k perm_access + +Notes: For 32-bit architectures, only +the 32-bit specific entries are required. + +To reload the rules file, issue the following +command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"] + tag gid: "V-238271 " + tag rid: "SV-238271r808483_rule " + tag stig_id: "UBTU-20-010155 " + tag fix_id: "F-41440r808482_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb new file mode 100644 index 0000000..ecdd1d8 --- /dev/null +++ b/controls/SV-238277.rb @@ -0,0 +1,51 @@ +# encoding: UTF-8 + +control "SV-238277" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the sudo command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" +command. + +Check the configured audit rules with the following command: + +$ sudo auditctl -l +| grep /usr/bin/sudo + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F +auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the +line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"sudo\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/sudo -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238277 " + tag rid: "SV-238277r654006_rule " + tag stig_id: "UBTU-20-010161 " + tag fix_id: "F-41446r654005_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb new file mode 100644 index 0000000..5de3e60 --- /dev/null +++ b/controls/SV-238278.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238278" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the sudoedit command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"sudoedit\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep /usr/bin/sudoedit + +-a always,exit -F +path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does +not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"sudoedit\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238278 " + tag rid: "SV-238278r654009_rule " + tag stig_id: "UBTU-20-010162 " + tag fix_id: "F-41447r654008_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb new file mode 100644 index 0000000..c09f1f1 --- /dev/null +++ b/controls/SV-238279.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238279" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chsh command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chsh\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x +-F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches +the example or the line is commented out, this is a finding. + +Notes: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chsh\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chsh -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238279 " + tag rid: "SV-238279r654012_rule " + tag stig_id: "UBTU-20-010163 " + tag fix_id: "F-41448r654011_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb new file mode 100644 index 0000000..b056bf8 --- /dev/null +++ b/controls/SV-238280.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238280" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the newgrp command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"newgrp\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep newgrp + +-a always,exit -F path=/usr/bin/newgrp -F +perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"newgrp\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/newgrp -F +perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238280 " + tag rid: "SV-238280r654015_rule " + tag stig_id: "UBTU-20-010164 " + tag fix_id: "F-41449r654014_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb new file mode 100644 index 0000000..f342e75 --- /dev/null +++ b/controls/SV-238281.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238281" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chcon command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chcon\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F +path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does +not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chcon\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chcon -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238281 " + tag rid: "SV-238281r654018_rule " + tag stig_id: "UBTU-20-010165 " + tag fix_id: "F-41450r654017_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb new file mode 100644 index 0000000..0d07b58 --- /dev/null +++ b/controls/SV-238282.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238282" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the apparmor_parser command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"apparmor_parser\" command. + +Check the currently configured audit +rules with the following command: + +$ sudo auditctl -l | grep apparmor_parser + +-a +always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k +perm_chng + +If the command does not return a line that matches the example or the line is +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"apparmor_parser\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/apparmor_parser +-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, +issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238282 " + tag rid: "SV-238282r654021_rule " + tag stig_id: "UBTU-20-010166 " + tag fix_id: "F-41451r654020_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb new file mode 100644 index 0000000..079f2ed --- /dev/null +++ b/controls/SV-238283.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238283" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the setfacl command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"setfacl\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F +path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does +not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"setfacl\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/setfacl -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238283 " + tag rid: "SV-238283r654024_rule " + tag stig_id: "UBTU-20-010167 " + tag fix_id: "F-41452r654023_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb new file mode 100644 index 0000000..6a8426d --- /dev/null +++ b/controls/SV-238284.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238284" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chacl command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chacl\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo audtctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl +-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chacl\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chacl -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238284 " + tag rid: "SV-238284r654027_rule " + tag stig_id: "UBTU-20-010168 " + tag fix_id: "F-41453r654026_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb new file mode 100644 index 0000000..0e4d4a2 --- /dev/null +++ b/controls/SV-238285.rb @@ -0,0 +1,53 @@ +# encoding: UTF-8 + +control "SV-238285" do + title "The Ubuntu operating system must generate audit records for the use and modification of the +tallylog file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +modifications to the \"tallylog\" file. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep tallylog + +-w /var/log/tallylog -p wa -k +logins + +If the command does not return a line that matches the example or the line is commented +out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and +the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"tallylog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/tallylog -p wa -k logins + +To reload +the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] + tag gid: "V-238285 " + tag rid: "SV-238285r654030_rule " + tag stig_id: "UBTU-20-010169 " + tag fix_id: "F-41454r654029_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb new file mode 100644 index 0000000..4886d09 --- /dev/null +++ b/controls/SV-238286.rb @@ -0,0 +1,53 @@ +# encoding: UTF-8 + +control "SV-238286" do + title "The Ubuntu operating system must generate audit records for the use and modification of +faillog file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + + " + desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +modifications to the \"faillog\" file. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep faillog + +-w /var/log/faillog -p wa -k logins + + +If the command does not return a line that matches the example or the line is commented out, +this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the +string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"faillog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/faillog -p wa -k logins + +To reload +the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] + tag gid: "V-238286 " + tag rid: "SV-238286r654033_rule " + tag stig_id: "UBTU-20-010170 " + tag fix_id: "F-41455r654032_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb new file mode 100644 index 0000000..2bdccf3 --- /dev/null +++ b/controls/SV-238287.rb @@ -0,0 +1,53 @@ +# encoding: UTF-8 + +control "SV-238287" do + title "The Ubuntu operating system must generate audit records for the use and modification of the +lastlog file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + + " + desc "check", "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful +modifications to the \"lastlog\" file occur. + +Check the currently configured audit rules +with the following command: + +$ sudo auditctl -l | grep lastlog + +-w /var/log/lastlog -p wa -k +logins + +If the command does not return a line that matches the example or the line is commented +out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and +the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"lastlog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/lastlog -p wa -k logins + +To reload +the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] + tag gid: "V-238287 " + tag rid: "SV-238287r654036_rule " + tag stig_id: "UBTU-20-010171 " + tag fix_id: "F-41456r654035_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb new file mode 100644 index 0000000..cbf6190 --- /dev/null +++ b/controls/SV-238288.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238288" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the passwd command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w passwd + +-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F +auid>=1000 -F auid!=-1 -F key=privileged-passwd + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"key\" +allows for specifying an arbitrary identifier, and the string after it does not need to match +the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"passwd\" command. + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/passwd -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238288 " + tag rid: "SV-238288r833012_rule " + tag stig_id: "UBTU-20-010172 " + tag fix_id: "F-41457r832949_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb new file mode 100644 index 0000000..968b8f6 --- /dev/null +++ b/controls/SV-238289.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238289" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the unix_update command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the +\"unix_update\" command. + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep -w unix_update + +-a always,exit -F +path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + + +If the command does not return a line that matches the example or the line is commented out, +this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the +string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"unix_update\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/unix_update -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238289 " + tag rid: "SV-238289r654042_rule " + tag stig_id: "UBTU-20-010173 " + tag fix_id: "F-41458r654041_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb new file mode 100644 index 0000000..facabde --- /dev/null +++ b/controls/SV-238290.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238290" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the gpasswd command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-gpasswd + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"gpasswd\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/gpasswd -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238290 " + tag rid: "SV-238290r654045_rule " + tag stig_id: "UBTU-20-010174 " + tag fix_id: "F-41459r654044_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb new file mode 100644 index 0000000..de4682e --- /dev/null +++ b/controls/SV-238291.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238291" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the chage command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-chage + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"chage\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chage -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238291 " + tag rid: "SV-238291r654048_rule " + tag stig_id: "UBTU-20-010175 " + tag fix_id: "F-41460r654047_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb new file mode 100644 index 0000000..a01f43f --- /dev/null +++ b/controls/SV-238292.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238292" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the usermod command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w usermod + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-usermod + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"usermod\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/sbin/usermod -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238292 " + tag rid: "SV-238292r654051_rule " + tag stig_id: "UBTU-20-010176 " + tag fix_id: "F-41461r654050_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb new file mode 100644 index 0000000..3aafd59 --- /dev/null +++ b/controls/SV-238293.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238293" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the crontab command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w crontab + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-crontab + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"crontab\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/crontab -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab + +To reload the rules +file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238293 " + tag rid: "SV-238293r654054_rule " + tag stig_id: "UBTU-20-010177 " + tag fix_id: "F-41462r654053_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb new file mode 100644 index 0000000..25909fc --- /dev/null +++ b/controls/SV-238294.rb @@ -0,0 +1,54 @@ +# encoding: UTF-8 + +control "SV-238294" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the pam_timestamp_check command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the +\"pam_timestamp_check\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep -w pam_timestamp_check + +-a always,exit -F +path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-pam_timestamp_check + +If the command does not return a line that matches the +example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying +an arbitrary identifier, and the string after it does not need to match the example output +above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"pam_timestamp_check\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k +privileged-pam_timestamp_check + +To reload the rules file, issue the following command: + + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag gid: "V-238294 " + tag rid: "SV-238294r654057_rule " + tag stig_id: "UBTU-20-010178 " + tag fix_id: "F-41463r654056_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb new file mode 100644 index 0000000..3041b65 --- /dev/null +++ b/controls/SV-238295.rb @@ -0,0 +1,73 @@ +# encoding: UTF-8 + +control "SV-238295" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the init_module and finit_module syscalls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. + + " + desc "check", "Verify the Ubuntu operating system generates an audit record for any +successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. + + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l +| grep init_module + +-a always,exit -F arch=b32 -S init_module,finit_module -F +auid>=1000 -F auid!=-1 -k module_chng +-a always,exit -F arch=b64 -S +init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng + +If the command +does not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines +are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"init_module\" and \"finit_module\" syscalls. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S +init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng +-a +always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F +auid!=4294967295 -k module_chng + +Notes: For 32-bit architectures, only the 32-bit +specific entries are required. + +To reload the rules file, issue the following command: + +$ +sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"] + tag gid: "V-238295 " + tag rid: "SV-238295r808486_rule " + tag stig_id: "UBTU-20-010179 " + tag fix_id: "F-41464r808485_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb new file mode 100644 index 0000000..221b22d --- /dev/null +++ b/controls/SV-238297.rb @@ -0,0 +1,65 @@ +# encoding: UTF-8 + +control "SV-238297" do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +of the delete_module syscall. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + + " + desc "check", "Verify the Ubuntu operating system generates an audit record for any +successful/unsuccessful attempts to use the \"delete_module\" syscall. + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w +delete_module + +-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 +-k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k +module_chng + +If the command does not return a line that matches the example or the line is +commented out, this is a finding. + +Notes: +- For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +- The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"delete_module\" syscall. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S delete_module -F +auid>=1000 -F auid!=4294967295 -k module_chng +-a always,exit -F arch=b64 -S +delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng + +Notes: For 32-bit +architectures, only the 32-bit specific entries are required. + +To reload the rules file, +issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000064-GPOS-00033 " + tag satisfies: ["SRG-OS-000477-GPOS-00222"] + tag gid: "V-238297 " + tag rid: "SV-238297r802387_rule " + tag stig_id: "UBTU-20-010181 " + tag fix_id: "F-41466r654065_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb new file mode 100644 index 0000000..9381bff --- /dev/null +++ b/controls/SV-238298.rb @@ -0,0 +1,87 @@ +# encoding: UTF-8 + +control "SV-238298" do + title "The Ubuntu operating system must produce audit records and reports containing information +to establish when, where, what type, the source, and the outcome for all DoD-defined +auditable events and actions in near real time. " + desc "Without establishing the when, where, type, source, and outcome of events that occurred, it +would be difficult to establish, correlate, and investigate the events leading up to an +outage or attack. + +Without the capability to generate audit records, it would be difficult +to establish, correlate, and investigate the events relating to an incident or identify +those responsible for one. + +Audit record content that may be necessary to satisfy this +requirement includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, filenames +involved, and access control or flow control rules invoked. + +Reconstruction of harmful +events or forensic analysis is not possible if audit records do not contain enough +information. + +Successful incident response and auditing relies on timely, accurate +system information and analysis in order to allow the organization to identify and respond to +potential incidents in a proficient manner. If the operating system does not provide the +ability to centrally review the operating system logs, forensic analysis is negatively +impacted. + +Associating event types with detected events in the Ubuntu operating system +audit logs provides a means of investigating an attack; recognizing resource utilization or +capacity thresholds; or identifying an improperly configured operating system. + + " + desc "check", "Verify the audit service is configured to produce audit records with the following command: + + +$ dpkg -l | grep auditd + +If the \"auditd\" package is not installed, this is a finding. + + +Verify the audit service is enabled with the following command: + +$ systemctl is-enabled +auditd.service + +If the command above returns \"disabled\", this is a finding. + +Verify the +audit service is properly running and active on the system with the following command: + +$ +systemctl is-active auditd.service +active + +If the command above returns \"inactive\", +this is a finding. " + desc "fix", "Configure the audit service to produce audit records containing the information needed to +establish when (date and time) an event occurred. + +Install the audit service (if the audit +service is not already installed) with the following command: + +$ sudo apt-get install +auditd + +Enable the audit service with the following command: + +$ sudo systemctl enable +auditd.service + +To reload the rules file, issue the following command: + +$ sudo augenrules +--load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000122-GPOS-00063 " + tag satisfies: ["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"] + tag gid: "V-238298 " + tag rid: "SV-238298r853421_rule " + tag stig_id: "UBTU-20-010182 " + tag fix_id: "F-41467r654068_fix " + tag cci: ["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"] + tag nist: ["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"] +end \ No newline at end of file diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb new file mode 100644 index 0000000..a76d7f2 --- /dev/null +++ b/controls/SV-238299.rb @@ -0,0 +1,41 @@ +# encoding: UTF-8 + +control "SV-238299" do + title "The Ubuntu operating system must initiate session audits at system start-up. " + desc "If auditing is enabled late in the start-up process, the actions of some start-up processes +may not be audited. Some audit systems also maintain state information only available if +auditing is enabled before a given process is created. " + desc "check", "Verify that the Ubuntu operating system enables auditing at system startup. + +Verify that +the auditing is enabled in grub with the following command: + +$ sudo grep \"^\\s*linux\" +/boot/grub/grub.cfg + +linux /boot/vmlinuz-5.4.0-31-generic +root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 +linux +/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro +recovery nomodeset audit=1 + +If any linux lines do not contain \"audit=1\", this is a finding. " + desc "fix", "Configure the Ubuntu operating system to produce audit records at system startup. + +Edit the +\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option. + +To +update the grub config file, run: + +$ sudo update-grub " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000254-GPOS-00095 " + tag gid: "V-238299 " + tag rid: "SV-238299r654072_rule " + tag stig_id: "UBTU-20-010198 " + tag fix_id: "F-41468r654071_fix " + tag cci: ["CCI-001464"] + tag nist: ["AU-14 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb new file mode 100644 index 0000000..33e77d0 --- /dev/null +++ b/controls/SV-238300.rb @@ -0,0 +1,57 @@ +# encoding: UTF-8 + +control "SV-238300" do + title "The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + + " + desc "check", "Verify the Ubuntu operating system configures the audit tools to have a file permission of +0755 or less to prevent unauthorized access by running the following command: + +$ stat -c \"%n +%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd +/sbin/audispd /sbin/augenrules + +/sbin/auditctl 755 +/sbin/aureport 755 + +/sbin/ausearch 755 +/sbin/autrace 755 +/sbin/auditd 755 +/sbin/audispd 755 + +/sbin/augenrules 755 + +If any of the audit tools have a mode more permissive than 0755, this +is a finding. " + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the correct permissive mode using the following command: + +$ sudo chmod +0755 [audit_tool] + +Replace \"[audit_tool]\" with the audit tool that does not have the +correct permissions. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] + tag gid: "V-238300 " + tag rid: "SV-238300r654075_rule " + tag stig_id: "UBTU-20-010199 " + tag fix_id: "F-41469r654074_fix " + tag cci: ["CCI-001493","CCI-001494"] + tag nist: ["AU-9 a","AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb new file mode 100644 index 0000000..b7fd0fb --- /dev/null +++ b/controls/SV-238301.rb @@ -0,0 +1,57 @@ +# encoding: UTF-8 + +control "SV-238301" do + title "The Ubuntu operating system must configure audit tools to be owned by root. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + + " + desc "check", "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent +any unauthorized access. + +Check the ownership by running the following command: + +$ stat -c +\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd +/sbin/audispd /sbin/augenrules + +/sbin/auditctl root +/sbin/aureport root + +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root + +/sbin/augenrules root + +If any of the audit tools are not owned by root, this is a finding. " + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the file owner as root using the following command: + +$ sudo chown root +[audit_tool] + +Replace \"[audit_tool]\" with each audit tool not owned by root. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] + tag gid: "V-238301 " + tag rid: "SV-238301r654078_rule " + tag stig_id: "UBTU-20-010200 " + tag fix_id: "F-41470r654077_fix " + tag cci: ["CCI-001493","CCI-001494"] + tag nist: ["AU-9 a","AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb new file mode 100644 index 0000000..6b673e3 --- /dev/null +++ b/controls/SV-238302.rb @@ -0,0 +1,58 @@ +# encoding: UTF-8 + +control "SV-238302" do + title "The Ubuntu operating system must configure the audit tools to be group-owned by root. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + + " + desc "check", "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to +prevent any unauthorized access. + +Check the group ownership by running the following +command: + +$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace +/sbin/auditd /sbin/audispd /sbin/augenrules + +/sbin/auditctl root +/sbin/aureport +root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root + +/sbin/augenrules root + +If any of the audit tools are not group-owned by root, this is a +finding. " + desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the file group as root using the following command: + +$ sudo chown :root +[audit_tool] + +Replace \"[audit_tool]\" with each audit tool not group-owned by root. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000256-GPOS-00097 " + tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] + tag gid: "V-238302 " + tag rid: "SV-238302r654081_rule " + tag stig_id: "UBTU-20-010201 " + tag fix_id: "F-41471r654080_fix " + tag cci: ["CCI-001493","CCI-001494"] + tag nist: ["AU-9 a","AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb new file mode 100644 index 0000000..a57951d --- /dev/null +++ b/controls/SV-238303.rb @@ -0,0 +1,73 @@ +# encoding: UTF-8 + +control "SV-238303" do + title "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of +audit tools. " + desc "Protecting the integrity of the tools used for auditing purposes is a critical step toward +ensuring the integrity of audit information. Audit information includes all information +(e.g., audit records, audit settings, and audit reports) needed to successfully audit +information system activity. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + +It is not uncommon for attackers to replace the audit tools or inject +code into the existing tools with the purpose of providing the capability to hide or erase +system activity from the audit logs. + +To address this risk, audit tools must be +cryptographically signed in order to provide the capability to identify when the audit tools +have been modified, manipulated, or replaced. An example is a checksum hash of the file or +files. " + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use +cryptographic mechanisms to protect the integrity of audit tools. + +Check the selection +lines that AIDE is configured to add/check with the following command: + +$ egrep +'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf + +/sbin/auditctl +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules +p+i+n+u+g+s+b+acl+xattrs+sha512 + +If any of the seven audit tools do not have appropriate +selection lines, this is a finding. " + desc "fix", "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the +integrity of the audit tools: + +# Audit Tools +/sbin/auditctl +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules +p+i+n+u+g+s+b+acl+xattrs+sha512 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000278-GPOS-00108 " + tag gid: "V-238303 " + tag rid: "SV-238303r654084_rule " + tag stig_id: "UBTU-20-010205 " + tag fix_id: "F-41472r654083_fix " + tag cci: ["CCI-001496"] + tag nist: ["AU-9 (3)"] +end \ No newline at end of file diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb new file mode 100644 index 0000000..995af24 --- /dev/null +++ b/controls/SV-238304.rb @@ -0,0 +1,74 @@ +# encoding: UTF-8 + +control "SV-238304" do + title "The Ubuntu operating system must prevent all software from executing at higher privilege +levels than users executing the software and the audit system must be configured to audit the +execution of privileged functions. " + desc "In certain situations, software applications/programs need to execute with elevated +privileges to perform required functions. However, if the privileges required for +execution are at a higher level than the privileges assigned to organizational users +invoking such applications/programs, those users are indirectly provided with greater +privileges than assigned by the organizations. + +Some programs and processes are required +to operate at a higher privilege level and therefore should be excluded from the +organization-defined software list after review. + + " + desc "check", "Verify the Ubuntu operating system audits the execution of privilege functions by auditing +the \"execve\" system call. + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep execve + +-a always,exit -F arch=b64 -S execve -C +uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F +egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F +key=execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv + + +If the command does not return lines that match the example or the lines are commented out, +this is a finding. + +Notes: +- For 32-bit architectures, only the 32-bit specific output +lines from the commands are required. +- The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the Ubuntu operating system to audit the execution of all privileged functions. + + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a +always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F +arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S +execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C +gid!=egid -F egid=0 -F key=execpriv + +Notes: For 32-bit architectures, only the 32-bit +specific entries are required. + +To reload the rules file, issue the following command: + +$ +sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000326-GPOS-00126 " + tag satisfies: ["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"] + tag gid: "V-238304 " + tag rid: "SV-238304r853422_rule " + tag stig_id: "UBTU-20-010211 " + tag fix_id: "F-41473r654086_fix " + tag cci: ["CCI-002233","CCI-002234"] + tag nist: ["AC-6 (8)","AC-6 (9)"] +end \ No newline at end of file diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb new file mode 100644 index 0000000..320fe4a --- /dev/null +++ b/controls/SV-238305.rb @@ -0,0 +1,76 @@ +# encoding: UTF-8 + +control "SV-238305" do + title "The Ubuntu operating system must allocate audit record storage capacity to store at least one +weeks' worth of audit records, when audit records are not immediately sent to a central audit +record storage facility. " + desc "In order to ensure operating systems have a sufficient storage capacity in which to write the +audit logs, operating systems need to be able to allocate audit record storage capacity. + + +The task of allocating audit record storage capacity is usually performed during initial +installation of the operating system. " + desc "check", "Verify the Ubuntu operating system allocates audit record storage capacity to store at least +one week's worth of audit records when audit records are not immediately sent to a central +audit record storage facility. + +Determine which partition the audit records are being +written to with the following command: + +$ sudo grep ^log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Check the size of the partition that audit records +are written to (with the example being \"/var/log/audit/\") with the following command: + +$ +sudo df –h /var/log/audit/ +/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit + +If the audit +records are not written to a partition made specifically for audit records +(\"/var/log/audit\" is a separate partition), determine the amount of space being used by +other files in the partition with the following command: + +$ sudo du –sh [audit_partition] + +1.8G /var/log/audit + +Note: The partition size needed to capture a week's worth of audit +records is based on the activity level of the system and the total storage capacity available. +In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. + +If +the audit record partition is not allocated for sufficient storage capacity, this is a +finding. " + desc "fix", "Allocate enough storage capacity for at least one week's worth of audit records when audit +records are not immediately sent to a central audit record storage facility. + +If audit +records are stored on a partition made specifically for audit records, use the \"parted\" +program to resize the partition with sufficient space to contain one week's worth of audit +records. + +If audit records are not stored on a partition made specifically for audit +records, a new partition with sufficient amount of space will need be to be created. + +Set the +auditd server to point to the mount point where the audit records must be located: + +$ sudo sed +-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@' +/etc/audit/auditd.conf + +where <log mountpoint> is the aforementioned mount +point. " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000341-GPOS-00132 " + tag gid: "V-238305 " + tag rid: "SV-238305r853423_rule " + tag stig_id: "UBTU-20-010215 " + tag fix_id: "F-41474r654089_fix " + tag cci: ["CCI-001849"] + tag nist: ["AU-4"] +end \ No newline at end of file diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb new file mode 100644 index 0000000..e7dc22c --- /dev/null +++ b/controls/SV-238306.rb @@ -0,0 +1,83 @@ +# encoding: UTF-8 + +control "SV-238306" do + title "The Ubuntu operating system audit event multiplexor must be configured to off-load audit +logs onto a different system or storage media from the system being audited. " + desc "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. + +Off-loading is a common process in information systems with limited audit +storage capacity. + + " + desc "check", "Verify the audit event multiplexor is configured to offload audit records to a different +system or storage media from the system being audited. + +Check that audisp-remote plugin is +installed: + +$ sudo dpkg -s audispd-plugins + +If status is \"not installed\", this is a +finding. + +Check that the records are being offloaded to a remote server with the following +command: + +$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf + +active = yes + +If +\"active\" is not set to \"yes\", or the line is commented out, this is a finding. + +Check that +audisp-remote plugin is configured to send audit logs to a different system: + +$ sudo grep -i +^remote_server /etc/audisp/audisp-remote.conf + +remote_server = 192.168.122.126 + +If +the \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid +address, this is a finding. " + desc "fix", "Configure the audit event multiplexor to offload audit records to a different system or +storage media from the system being audited. + +Install the audisp-remote plugin: + +$ sudo +apt-get install audispd-plugins -y + +Set the audisp-remote plugin as active by editing the +\"/etc/audisp/plugins.d/au-remote.conf\" file: + +$ sudo sed -i -E +'s/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf + +Set the +address of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file: + +$ +sudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/' +/etc/audisp/audisp-remote.conf + +where <remote addr> must be substituted by the +address of the remote server receiving the audit log. + +Make the audit service reload its +configuration files: + +$ sudo systemctl restart auditd.service " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000342-GPOS-00133 " + tag satisfies: ["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"] + tag gid: "V-238306 " + tag rid: "SV-238306r853424_rule " + tag stig_id: "UBTU-20-010216 " + tag fix_id: "F-41475r654092_fix " + tag cci: ["CCI-001851"] + tag nist: ["AU-4 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb new file mode 100644 index 0000000..4f9fdc3 --- /dev/null +++ b/controls/SV-238307.rb @@ -0,0 +1,74 @@ +# encoding: UTF-8 + +control "SV-238307" do + title "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when +allocated audit record storage volume reaches 75% of the repository maximum audit record +storage capacity. " + desc "If security personnel are not notified immediately when storage volume reaches 75% +utilization, they are unable to plan for audit record storage capacity expansion. " + desc "check", "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated +audit record storage volume reaches 75% of the repository maximum audit record storage +capacity with the following command: + +$ sudo grep ^space_left_action +/etc/audit/auditd.conf + +space_left_action email + +$ sudo grep ^space_left +/etc/audit/auditd.conf + +space_left 250000 + +If the \"space_left\" parameter is missing, +set to blanks, or set to a value less than 25% of the space free in the allocated audit record +storage, this is a finding. + +If the \"space_left_action\" parameter is missing or set to +blanks, this is a finding. + +If the \"space_left_action\" is set to \"syslog\", the system logs +the event but does not generate a notification, and this is a finding. + +If the +\"space_left_action\" is set to \"exec\", the system executes a designated script. If this +script informs the SA of the event, this is not a finding. + +If the \"space_left_action\" is set +to \"email\", check the value of the \"action_mail_acct\" parameter with the following command: + + +$ sudo grep ^action_mail_acct /etc/audit/auditd.conf + +action_mail_acct +root@localhost + +The \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the +\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is +a finding. + +Note: If the email address of the System Administrator + is on a remote system, a +mail package must be available. " + desc "fix", "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or +\"email\". + +If the \"space_left_action\" parameter is set to \"email\", set the +\"action_mail_acct\" parameter to an email address for the SA and ISSO. + +If the +\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies +the SA and ISSO. + +Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at +least 25% of the repository maximum audit record storage capacity. " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000343-GPOS-00134 " + tag gid: "V-238307 " + tag rid: "SV-238307r853425_rule " + tag stig_id: "UBTU-20-010217 " + tag fix_id: "F-41476r654095_fix " + tag cci: ["CCI-001855"] + tag nist: ["AU-5 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb new file mode 100644 index 0000000..8a2be11 --- /dev/null +++ b/controls/SV-238308.rb @@ -0,0 +1,33 @@ +# encoding: UTF-8 + +control "SV-238308" do + title "The Ubuntu operating system must record time stamps for audit records that can be mapped to +Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). " + desc "If time stamps are not consistently applied and there is no common time reference, it is +difficult to perform forensic analysis. + +Time stamps generated by the operating system +include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a +modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. " + desc "check", "To verify the time zone is configured to use UTC or GMT, run the following command. + +$ +timedatectl status | grep -i \"time zone\" +Timezone: UTC (UTC, +0000) + +If \"Timezone\" is not +set to UTC or GMT, this is a finding. " + desc "fix", "To configure the system time zone to use UTC or GMT, run the following command, replacing +[ZONE] with UTC or GMT: + +$ sudo timedatectl set-timezone [ZONE] " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000359-GPOS-00146 " + tag gid: "V-238308 " + tag rid: "SV-238308r853426_rule " + tag stig_id: "UBTU-20-010230 " + tag fix_id: "F-41477r654098_fix " + tag cci: ["CCI-001890"] + tag nist: ["AU-8 b"] +end \ No newline at end of file diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb new file mode 100644 index 0000000..da1f2dc --- /dev/null +++ b/controls/SV-238309.rb @@ -0,0 +1,66 @@ +# encoding: UTF-8 + +control "SV-238309" do + title "The Ubuntu operating system must generate audit records for privileged activities, +nonlocal maintenance, diagnostic sessions and other system-level access. " + desc "If events associated with nonlocal administrative access or diagnostic sessions are not +logged, a major tool for assessing and investigating attacks would not be available. + +This +requirement addresses auditing-related issues associated with maintenance tools used +specifically for diagnostic and repair actions on organizational information systems. + + +Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. + +This +requirement applies to hardware/software diagnostic test equipment or tools. This +requirement does not cover hardware/software components that may support information +system maintenance, yet are a part of the system, for example, the software implementing +\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of +an Ethernet switch. + + " + desc "check", "Verify the Ubuntu operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep sudo.log + +-w /var/log/sudo.log -p wa -k +maintenance + +If the command does not return lines that match the example or the lines are +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary +identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the Ubuntu operating system to audit activities performed during nonlocal +maintenance and diagnostic sessions. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/sudo.log -p wa -k maintenance + +To +reload the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000392-GPOS-00172 " + tag satisfies: ["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"] + tag gid: "V-238309 " + tag rid: "SV-238309r853427_rule " + tag stig_id: "UBTU-20-010244 " + tag fix_id: "F-41478r654101_fix " + tag cci: ["CCI-000172","CCI-002884"] + tag nist: ["AU-12 c","MA-4 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb new file mode 100644 index 0000000..300a429 --- /dev/null +++ b/controls/SV-238310.rb @@ -0,0 +1,71 @@ +# encoding: UTF-8 + +control "SV-238310" do + title "The Ubuntu operating system must generate audit records for any successful/unsuccessful +use of unlink, unlinkat, rename, renameat, and rmdir system calls. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). + +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into +one rule whenever possible. " + desc "check", "Verify the Ubuntu operating system generates audit records for any +successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" +system calls. + +Check the currently configured audit rules with the following command: + +$ +sudo auditctl -l | grep 'unlink\\|rename\\|rmdir' + +-a always,exit -F arch=b64 -S +unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete +-a +always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F +auid!=-1 -F key=delete + +If the command does not return audit rules for the \"unlink\", +\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this +is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from +the commands are required. +The \"key\" allows for specifying an arbitrary identifier, and the +string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate audit events for any successful/unsuccessful use of +\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. + +Add or update the +following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F +auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S +unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete + + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To +reload the rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000468-GPOS-00212 " + tag gid: "V-238310 " + tag rid: "SV-238310r832953_rule " + tag stig_id: "UBTU-20-010267 " + tag fix_id: "F-41479r832952_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb new file mode 100644 index 0000000..086b4b8 --- /dev/null +++ b/controls/SV-238315.rb @@ -0,0 +1,49 @@ +# encoding: UTF-8 + +control "SV-238315" do + title "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/log/wtmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/log/wtmp' + +-w +/var/log/wtmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/log/wtmp\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/wtmp -p wa -k logins + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238315 " + tag rid: "SV-238315r654120_rule " + tag stig_id: "UBTU-20-010277 " + tag fix_id: "F-41484r654119_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb new file mode 100644 index 0000000..0301ca0 --- /dev/null +++ b/controls/SV-238316.rb @@ -0,0 +1,49 @@ +# encoding: UTF-8 + +control "SV-238316" do + title "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/run/wtmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/run/wtmp' + +-w +/var/run/wtmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/run/wtmp\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/run/wtmp -p wa -k logins + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238316 " + tag rid: "SV-238316r654123_rule " + tag stig_id: "UBTU-20-010278 " + tag fix_id: "F-41485r654122_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb new file mode 100644 index 0000000..dedeb7a --- /dev/null +++ b/controls/SV-238317.rb @@ -0,0 +1,49 @@ +# encoding: UTF-8 + +control "SV-238317" do + title "The Ubuntu operating system must generate audit records for the /var/log/btmp file. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/log/btmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/log/btmp' + +-w +/var/log/btmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/log/btmp file\". + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/btmp -p wa -k logins + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000472-GPOS-00217 " + tag gid: "V-238317 " + tag rid: "SV-238317r654126_rule " + tag stig_id: "UBTU-20-010279 " + tag fix_id: "F-41486r654125_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb new file mode 100644 index 0000000..338f9ef --- /dev/null +++ b/controls/SV-238318.rb @@ -0,0 +1,47 @@ +# encoding: UTF-8 + +control "SV-238318" do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful +attempts to use modprobe command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify if the Ubuntu operating system is configured to audit the execution of the module +management program \"modprobe\" by running the following command: + +$ sudo auditctl -l | grep +\"/sbin/modprobe\" + +-w /sbin/modprobe -p x -k modules + +If the command does not return a line, +or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an +arbitrary identifier, and the string after it does not need to match the example output above. " + desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management +program \"modprobe\". + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /sbin/modprobe -p x -k modules + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238318 " + tag rid: "SV-238318r654129_rule " + tag stig_id: "UBTU-20-010296 " + tag fix_id: "F-41487r654128_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb new file mode 100644 index 0000000..7fe5767 --- /dev/null +++ b/controls/SV-238319.rb @@ -0,0 +1,50 @@ +# encoding: UTF-8 + +control "SV-238319" do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful +attempts to use the kmod command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the module +management program \"kmod\". + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep kmod + +-w /bin/kmod -p x -k module + +If the command does not +return a line, or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example +output above. " + desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management +program \"kmod\". + +Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" +file: + +-w /bin/kmod -p x -k modules + +To reload the rules file, issue the following command: + + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238319 " + tag rid: "SV-238319r654132_rule " + tag stig_id: "UBTU-20-010297 " + tag fix_id: "F-41488r654131_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb new file mode 100644 index 0000000..8319c37 --- /dev/null +++ b/controls/SV-238320.rb @@ -0,0 +1,50 @@ +# encoding: UTF-8 + +control "SV-238320" do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful +attempts to use the fdisk command. " + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy +filter). " + desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the partition +management program \"fdisk\". + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep fdisk + +-w /usr/sbin/fdisk -p x -k fdisk + +If +the command does not return a line, or the line is commented out, this is a finding. + +Note: The +\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to +match the example output above. " + desc "fix", "Configure the Ubuntu operating system to audit the execution of the partition management +program \"fdisk\". + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /usr/sbin/fdisk -p x -k fdisk + +To reload the +rules file, issue the following command: + +$ sudo augenrules --load " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000477-GPOS-00222 " + tag gid: "V-238320 " + tag rid: "SV-238320r832956_rule " + tag stig_id: "UBTU-20-010298 " + tag fix_id: "F-41489r832955_fix " + tag cci: ["CCI-000172"] + tag nist: ["AU-12 c"] +end \ No newline at end of file diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb new file mode 100644 index 0000000..2d2fa85 --- /dev/null +++ b/controls/SV-238321.rb @@ -0,0 +1,42 @@ +# encoding: UTF-8 + +control "SV-238321" do + title "The Ubuntu operating system must have a crontab script running weekly to offload audit events +of standalone systems. " + desc "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. + +Offloading is a common process in information systems with limited audit +storage capacity. " + desc "check", "Note: If this is an interconnected system, this is Not Applicable. + +Verify there is a script +that offloads audit data and that script runs weekly. + +Check if there is a script in the +\"/etc/cron.weekly\" directory that offloads audit data: + +# sudo ls /etc/cron.weekly + + +audit-offload + +Check if the script inside the file does offloading of audit logs to +external media. + +If the script file does not exist or does not offload audit logs, this is a +finding. " + desc "fix", "Create a script that offloads audit logs to external media and runs weekly. + +The script must +be located in the \"/etc/cron.weekly\" directory. " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000479-GPOS-00224 " + tag gid: "V-238321 " + tag rid: "SV-238321r853428_rule " + tag stig_id: "UBTU-20-010300 " + tag fix_id: "F-41490r654137_fix " + tag cci: ["CCI-001851"] + tag nist: ["AU-4 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb new file mode 100644 index 0000000..f88df71 --- /dev/null +++ b/controls/SV-238323.rb @@ -0,0 +1,44 @@ +# encoding: UTF-8 + +control "SV-238323" do + title "The Ubuntu operating system must limit the number of concurrent sessions to ten for all +accounts and/or account types. " + desc "The Ubuntu operating system management includes the ability to control the number of users +and user sessions that utilize an operating system. Limiting the number of allowed users and +sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement +addresses concurrent sessions for information system accounts and does not address +concurrent sessions by single users via multiple system accounts. The maximum number of +concurrent sessions should be defined based upon mission needs and the operational +environment for each system. " + desc "check", "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all +accounts and/or account types by running the following command: + +$ grep maxlogins +/etc/security/limits.conf | grep -v '^* hard maxlogins' + +The result must contain the +following line: + +* hard maxlogins 10 + +If the \"maxlogins\" item is missing or the value is not +set to 10 or less or is commented out, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all +accounts and/or account types. + +Add the following line to the top of the +\"/etc/security/limits.conf\" file: + +* hard maxlogins 10 " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000027-GPOS-00008 " + tag gid: "V-238323 " + tag rid: "SV-238323r654144_rule " + tag stig_id: "UBTU-20-010400 " + tag fix_id: "F-41492r654143_fix " + tag cci: ["CCI-000054"] + tag nist: ["AC-10"] +end \ No newline at end of file diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb new file mode 100644 index 0000000..67cd876 --- /dev/null +++ b/controls/SV-238324.rb @@ -0,0 +1,54 @@ +# encoding: UTF-8 + +control "SV-238324" do + title "The Ubuntu operating system must monitor remote access methods. " + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated monitoring capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Automated monitoring of remote access +sessions allows organizations to detect cyber attacks and also ensure ongoing compliance +with remote access policies by auditing connection activities of remote access +capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system +components (e.g., servers, workstations, notebook computers, smartphones, and tablets). " + desc "check", "Verify that the Ubuntu operating system monitors all remote access methods. + +Check that +remote access methods are being logged by running the following command: + +$ grep -E -r +'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.* + +/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log + +/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages + +If \"auth.*\", +\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config +files, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to monitor all remote access methods by adding the +following lines to the \"/etc/rsyslog.d/50-default.conf\" file: + +auth.*,authpriv.* +/var/log/secure +daemon.* /var/log/messages + +For the changes to take effect, restart the +\"rsyslog\" service with the following command: + +$ sudo systemctl restart rsyslog.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000032-GPOS-00013 " + tag gid: "V-238324 " + tag rid: "SV-238324r832959_rule " + tag stig_id: "UBTU-20-010403 " + tag fix_id: "F-41493r832958_fix " + tag cci: ["CCI-000067"] + tag nist: ["AC-17 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb new file mode 100644 index 0000000..3f590bb --- /dev/null +++ b/controls/SV-238325.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238325" do + title "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved +cryptographic hashing algorithm. " + desc "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear +text) and easily compromised. " + desc "check", "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS +140-2 approved cryptographic hashing algorithm. + +Check the hashing algorithm that is +being used to hash passwords with the following command: + +$ cat /etc/login.defs | grep -i +encrypt_method + +ENCRYPT_METHOD SHA512 + +If \"ENCRYPT_METHOD\" does not equal SHA512 or +greater, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to encrypt all stored passwords. + +Edit/modify the +following line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512: + + +ENCRYPT_METHOD SHA512 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000120-GPOS-00061 " + tag gid: "V-238325 " + tag rid: "SV-238325r654150_rule " + tag stig_id: "UBTU-20-010404 " + tag fix_id: "F-41494r654149_fix " + tag cci: ["CCI-000803"] + tag nist: ["IA-7"] +end \ No newline at end of file diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb new file mode 100644 index 0000000..7026f7c --- /dev/null +++ b/controls/SV-238326.rb @@ -0,0 +1,27 @@ +# encoding: UTF-8 + +control "SV-238326" do + title "The Ubuntu operating system must not have the telnet package installed. " + desc "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear +text) and easily compromised. " + desc "check", "Verify that the telnet package is not installed on the Ubuntu operating system by running the +following command: + +$ dpkg -l | grep telnetd + +If the package is installed, this is a finding. " + desc "fix", "Remove the telnet package from the Ubuntu operating system by running the following command: + + +$ sudo apt-get remove telnetd " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000074-GPOS-00042 " + tag gid: "V-238326 " + tag rid: "SV-238326r654153_rule " + tag stig_id: "UBTU-20-010405 " + tag fix_id: "F-41495r654152_fix " + tag cci: ["CCI-000197"] + tag nist: ["IA-5 (1) (c)"] +end \ No newline at end of file diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb new file mode 100644 index 0000000..bc2a7fa --- /dev/null +++ b/controls/SV-238327.rb @@ -0,0 +1,39 @@ +# encoding: UTF-8 + +control "SV-238327" do + title "The Ubuntu operating system must not have the rsh-server package installed. " + desc "It is detrimental for operating systems to provide, or install by default, functionality +exceeding requirements or mission objectives. These unnecessary capabilities or services +are often overlooked and therefore may remain unsecured. They increase the risk to the +platform by providing additional attack vectors. + +Operating systems are capable of +providing a wide variety of functions and services. Some of the functions and services, +provided by default, may not be necessary to support essential organizational operations +(e.g., key missions, functions). + +Examples of non-essential capabilities include, but +are not limited to, games, software packages, tools, and demonstration software, not +related to requirements or providing a wide array of functionality not required for every +mission, but which cannot be disabled. " + desc "check", "Verify the rsh-server package is installed with the following command: + +$ dpkg -l | grep +rsh-server + +If the rsh-server package is installed, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to disable non-essential capabilities by removing +the rsh-server package from the system with the following command: + +$ sudo apt-get remove +rsh-server " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000095-GPOS-00049 " + tag gid: "V-238327 " + tag rid: "SV-238327r654156_rule " + tag stig_id: "UBTU-20-010406 " + tag fix_id: "F-41496r654155_fix " + tag cci: ["CCI-000381"] + tag nist: ["CM-7 a"] +end \ No newline at end of file diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb new file mode 100644 index 0000000..f055a62 --- /dev/null +++ b/controls/SV-238328.rb @@ -0,0 +1,82 @@ +# encoding: UTF-8 + +control "SV-238328" do + title "The Ubuntu operating system must be configured to prohibit or restrict the use of functions, +ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability +assessments. " + desc "In order to prevent unauthorized connection of devices, unauthorized transfer of +information, or unauthorized tunneling (i.e., embedding of data types within data types), +organizations must disable or restrict unused or unnecessary physical and logical +ports/protocols on information systems. + +Operating systems are capable of providing a +wide variety of functions and services. Some of the functions and services provided by +default may not be necessary to support essential organizational operations. +Additionally, it is sometimes convenient to provide multiple services from a single +component (e.g., VPN and IPS); however, doing so increases risk over limiting the services +provided by any one component. + +To support the requirements and principles of least +functionality, the operating system must support the organizational requirements, +providing only essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official business or to +address authorized quality of life issues. " + desc "check", "Verify the Ubuntu operating system is configured to prohibit or restrict the use of +functions, ports, protocols, and/or services as defined in the Ports, Protocols, and +Services Management (PPSM) Category Assignments List (CAL) and vulnerability +assessments. + +Check the firewall configuration for any unnecessary or prohibited +functions, ports, protocols, and/or services by running the following command: + +$ sudo ufw +show raw + +Chain OUTPUT (policy ACCEPT) +target prot opt sources destination +Chain INPUT +(policy ACCEPT 1 packets, 40 bytes) + pkts bytes target prot opt in out source destination + + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source +destination + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in +out source destination + +Ask the System Administrator + for the site or program PPSM CLSA. +Verify the services allowed by the firewall match the PPSM CLSA. + +If there are any additional +ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. + +If +there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a +finding. " + desc "fix", "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: + + +$ sudo ufw allow <direction> <port/protocol/service> + +where the +direction is \"in\" or \"out\" and the port is the one corresponding to the protocol or service +allowed. + +To deny access to ports, protocols, or services, use: + +$ sudo ufw deny +<direction> <port/protocol/service> " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000096-GPOS-00050 " + tag gid: "V-238328 " + tag rid: "SV-238328r654159_rule " + tag stig_id: "UBTU-20-010407 " + tag fix_id: "F-41497r654158_fix " + tag cci: ["CCI-000382"] + tag nist: ["CM-7 b"] +end \ No newline at end of file diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb new file mode 100644 index 0000000..83b38d2 --- /dev/null +++ b/controls/SV-238329.rb @@ -0,0 +1,51 @@ +# encoding: UTF-8 + +control "SV-238329" do + title "The Ubuntu operating system must prevent direct login into the root account. " + desc "To assure individual accountability and prevent unauthorized access, organizational +users must be individually identified and authenticated. + +A group authenticator is a +generic account used by multiple individuals. Use of a group authenticator alone does not +uniquely identify individual users. Examples of the group authenticator is the UNIX OS +\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" +account. + +For example, the UNIX and Windows operating systems offer a 'switch user' +capability allowing users to authenticate with their individual credentials and, when +needed, 'switch' to the administrator role. This method provides for unique individual +authentication prior to using a group authenticator. + +Users (and any processes acting on +behalf of users) need to be uniquely identified and authenticated for all accesses other than +those accesses explicitly identified and documented by the organization, which outlines +specific user actions that can be performed on the operating system without identification +or authentication. + +Requiring individuals to be authenticated with an individual +authenticator prior to using a group authenticator allows for traceability of actions, as +well as adding an additional level of protection of the actions that can be taken with group +account knowledge. " + desc "check", "Verify the Ubuntu operating system prevents direct logins to the root account with the +following command: + +$ sudo passwd -S root + +root L 04/23/2020 0 99999 7 -1 + +If the output does +not contain \"L\" in the second field to indicate the account is locked, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to prevent direct logins to the root account by +performing the following operations: + +$ sudo passwd -l root " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000109-GPOS-00056 " + tag gid: "V-238329 " + tag rid: "SV-238329r654162_rule " + tag stig_id: "UBTU-20-010408 " + tag fix_id: "F-41498r654161_fix " + tag cci: ["CCI-000770"] + tag nist: ["IA-2 (5)"] +end \ No newline at end of file diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb new file mode 100644 index 0000000..49ac987 --- /dev/null +++ b/controls/SV-238330.rb @@ -0,0 +1,46 @@ +# encoding: UTF-8 + +control "SV-238330" do + title "The Ubuntu operating system must disable account identifiers (individuals, groups, roles, +and devices) after 35 days of inactivity. " + desc "Inactive identifiers pose a risk to systems and applications because attackers may exploit +an inactive identifier and potentially obtain undetected access to the system. Owners of +inactive accounts will not notice if unauthorized access to their user account has been +obtained. + +Operating systems need to track periods of inactivity and disable application +identifiers after 35 days of inactivity. " + desc "check", "Verify the account identifiers (individuals, groups, roles, and devices) are disabled +after 35 days of inactivity with the following command: + +Check the account inactivity value +by performing the following command: + +$ sudo grep INACTIVE /etc/default/useradd + + +INACTIVE=35 + +If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, +this is a finding. " + desc "fix", "Configure the Ubuntu operating system to disable account identifiers after 35 days of +inactivity after the password expiration. + +Run the following command to change the +configuration for adduser: + +$ sudo useradd -D -f 35 + +Note: DoD recommendation is 35 days, +but a lower value is acceptable. The value \"0\" will disable the account immediately after the +password expires. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000118-GPOS-00060 " + tag gid: "V-238330 " + tag rid: "SV-238330r654165_rule " + tag stig_id: "UBTU-20-010409 " + tag fix_id: "F-41499r654164_fix " + tag cci: ["CCI-000795"] + tag nist: ["IA-4 e"] +end \ No newline at end of file diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb new file mode 100644 index 0000000..a401752 --- /dev/null +++ b/controls/SV-238331.rb @@ -0,0 +1,47 @@ +# encoding: UTF-8 + +control "SV-238331" do + title "The Ubuntu operating system must automatically remove or disable emergency accounts after +72 hours. " + desc "Emergency accounts are different from infrequently used accounts (i.e., local logon +accounts used by the organization's System Administrator +s when network or normal +logon/access is not available). Infrequently used accounts are not subject to automatic +termination dates. Emergency accounts are accounts created in response to crisis +situations, usually for use by maintenance personnel. The automatic expiration or +disabling time period may be extended as needed until the crisis is resolved; however, it must +not be extended indefinitely. A permanent account should be established for privileged +users who need long-term maintenance accounts. " + desc "check", "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. + +For +every emergency account, run the following command to obtain its account expiration +information: + +$ sudo chage -l account_name | grep expires + +Password expires : Aug 07, 2019 + +Account expires : Aug 07, 2019 + +Verify each of these accounts has an expiration date set +within 72 hours of account creation. + +If any of these accounts do not expire within 72 hours of +that account's creation, this is a finding. " + desc "fix", "If an emergency account must be created, configure the system to terminate the account after a +72-hour time period with the following command to set an expiration date on it. Substitute +\"account_name\" with the account to be created. + +$ sudo chage -E $(date -d \"+3 days\" +%F) +account_name " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000123-GPOS-00064 " + tag gid: "V-238331 " + tag rid: "SV-238331r654168_rule " + tag stig_id: "UBTU-20-010410 " + tag fix_id: "F-41500r654167_fix " + tag cci: ["CCI-001682"] + tag nist: ["AC-2 (2)"] +end \ No newline at end of file diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb new file mode 100644 index 0000000..8ddec53 --- /dev/null +++ b/controls/SV-238332.rb @@ -0,0 +1,49 @@ +# encoding: UTF-8 + +control "SV-238332" do + title "The Ubuntu operating system must set a sticky bit on all public directories to prevent +unauthorized and unintended information transferred via shared system resources. " + desc "Preventing unauthorized information transfers mitigates the risk of information, +including encrypted representations of information, produced by the actions of prior +users/roles (or the actions of processes acting on behalf of prior users/roles) from being +available to any current users/roles (or current processes) that obtain access to shared +system resources (e.g., registers, main memory, hard disks) after those resources have been +released back to information systems. The control of information in shared resources is also +commonly referred to as object reuse and residual information protection. + +This +requirement generally applies to the design of an information technology product, but it can +also apply to the configuration of particular information system components that are, or +use, such products. This can be verified by acceptance/validation processes in DoD or other +government agencies. + +There may be shared resources with configurable protections (e.g., +files in storage) that may be assessed on specific information system components. " + desc "check", "Verify that all public (world-writeable) directories have the public sticky bit set. + +Find +world-writable directories that lack the sticky bit by running the following command: + +$ +sudo find / -type d -perm -002 ! -perm -1000 + +If any world-writable directories are found +missing the sticky bit, this is a finding. " + desc "fix", "Configure all public directories to have the sticky bit set to prevent unauthorized and +unintended information transferred via shared system resources. + +Set the sticky bit on all +public directories using the following command, replacing \"[Public Directory]\" with any +directory path missing the sticky bit: + +$ sudo chmod +t [Public Directory] " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000138-GPOS-00069 " + tag gid: "V-238332 " + tag rid: "SV-238332r654171_rule " + tag stig_id: "UBTU-20-010411 " + tag fix_id: "F-41501r654170_fix " + tag cci: ["CCI-001090"] + tag nist: ["SC-4"] +end \ No newline at end of file diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb new file mode 100644 index 0000000..f5b4dc0 --- /dev/null +++ b/controls/SV-238333.rb @@ -0,0 +1,51 @@ +# encoding: UTF-8 + +control "SV-238333" do + title "The Ubuntu operating system must be configured to use TCP syncookies. " + desc "DoS is a condition when a resource is not available for legitimate users. When this occurs, the +organization either cannot accomplish its mission or must operate at degraded capacity. + + +Managing excess capacity ensures that sufficient capacity is available to counter +flooding attacks. Employing increased capacity and service redundancy may reduce the +susceptibility to some DoS attacks. Managing excess capacity may include, for example, +establishing selected usage priorities, quotas, or partitioning. " + desc "check", "Verify the Ubuntu operating system is configured to use TCP syncookies. + +Check the value of +TCP syncookies with the following command: + +$ sysctl net.ipv4.tcp_syncookies + +net.ipv4.tcp_syncookies = 1 + +If the value is not \"1\", this is a finding. + +Check the saved +value of TCP syncookies with the following command: + +$ sudo grep -i +net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' + +If no output is +returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to use TCP syncookies by running the following +command: + +$ sudo sysctl -w net.ipv4.tcp_syncookies=1 + +If \"1\" is not the system's default +value, add or update the following line in \"/etc/sysctl.conf\": + +net.ipv4.tcp_syncookies += 1 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000142-GPOS-00071 " + tag gid: "V-238333 " + tag rid: "SV-238333r654174_rule " + tag stig_id: "UBTU-20-010412 " + tag fix_id: "F-41502r654173_fix " + tag cci: ["CCI-001095"] + tag nist: ["SC-5 (2)"] +end \ No newline at end of file diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb new file mode 100644 index 0000000..f8b3d0a --- /dev/null +++ b/controls/SV-238334.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238334" do + title "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state +if system initialization fails, shutdown fails or aborts fail. " + desc "Kernel core dumps may contain the full contents of system memory at the time of the crash. +Kernel core dumps may consume a considerable amount of disk space and may result in denial of +service by exhausting the available space on the target file system partition. " + desc "check", "Verify that kernel core dumps are disabled unless needed. + +Check if \"kdump\" service is +active with the following command: + +$ systemctl is-active kdump.service +inactive + +If +the \"kdump\" service is active, ask the SA if the use of the service is required and documented +with the ISSO. + +If the service is active and is not documented, this is a finding. " + desc "fix", "If kernel core dumps are not required, disable the \"kdump\" service with the following +command: + +$ sudo systemctl disable kdump.service + +If kernel core dumps are required, +document the need with the ISSO. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000184-GPOS-00078 " + tag gid: "V-238334 " + tag rid: "SV-238334r654177_rule " + tag stig_id: "UBTU-20-010413 " + tag fix_id: "F-41503r654176_fix " + tag cci: ["CCI-001190"] + tag nist: ["SC-24"] +end \ No newline at end of file diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb new file mode 100644 index 0000000..74fd40a --- /dev/null +++ b/controls/SV-238335.rb @@ -0,0 +1,70 @@ +# encoding: UTF-8 + +control "SV-238335" do + title "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. " + desc "Information at rest refers to the state of information when it is located on a secondary +storage device (e.g., disk drive and tape drive, when used for backups) within an operating +system. + +This requirement addresses protection of user-generated data, as well as +operating system-specific configuration data. Organizations may choose to employ +different mechanisms to achieve confidentiality and integrity protections, as +appropriate, in accordance with the security category and/or classification of the +information. " + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + + +#sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB + +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify the system partitions are +all encrypted with the following command: + +# more /etc/crypttab + +Every persistent disk +partition present must have an entry in the file. + +If any partitions other than the boot +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + + +Note: Encrypting a partition in an already-installed system is more difficult because it +will need to be resized and existing partitions changed. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000185-GPOS-00079 " + tag gid: "V-238335 " + tag rid: "SV-238335r654180_rule " + tag stig_id: "UBTU-20-010414 " + tag fix_id: "F-41504r654179_fix " + tag cci: ["CCI-001199"] + tag nist: ["SC-28"] +end \ No newline at end of file diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb new file mode 100644 index 0000000..65d23ef --- /dev/null +++ b/controls/SV-238336.rb @@ -0,0 +1,48 @@ +# encoding: UTF-8 + +control "SV-238336" do + title "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention +(ENSLTP). " + desc "Without the use of automated mechanisms to scan for security flaws on a continuous and/or +periodic basis, the operating system or other system components may remain vulnerable to the +exploits presented by undetected software flaws. + +To support this requirement, the +operating system may have an integrated solution incorporating continuous scanning using +HBSS and periodic scanning using other tools, as specified in the requirement. " + desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. +However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and +running. + +Check that the \"mcafeetp\" package has been installed: + +# dpkg -l | grep mcafeetp + + +If the \"mcafeetp\" package is not installed, this finding will remain as a CAT II. + +Check that +the daemon is running: + +# /opt/McAfee/ens/tp/init/mfetpd-control.sh status + +If the +daemon is not running, this finding will remain as a CAT II. " + desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity +level can be mitigated to a CAT III if the ENSLTP module is installed and running. + +Configure +the Ubuntu operating system to use ENSLTP. + +Install the \"mcafeetp\" package via the ePO +server. " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000191-GPOS-00080 " + tag gid: "V-238336 " + tag rid: "SV-238336r858538_rule " + tag stig_id: "UBTU-20-010415 " + tag fix_id: "F-41505r858537_fix " + tag cci: ["CCI-001233"] + tag nist: ["SI-2 (2)"] +end \ No newline at end of file diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb new file mode 100644 index 0000000..2a8a0d4 --- /dev/null +++ b/controls/SV-238337.rb @@ -0,0 +1,41 @@ +# encoding: UTF-8 + +control "SV-238337" do + title "The Ubuntu operating system must generate error messages that provide information +necessary for corrective actions without revealing information that could be exploited by +adversaries. " + desc "Any operating system providing too much information in error messages risks compromising +the data and security of the structure, and content of error messages needs to be carefully +considered by the organization. + +Organizations carefully consider the +structure/content of error messages. The extent to which information systems are able to +identify and handle error conditions is guided by organizational policy and operational +requirements. Information that could be exploited by adversaries includes, for example, +erroneous logon attempts with passwords entered by mistake as the username, +mission/business information that can be derived from (if not stated explicitly by) +information recorded, and personal information, such as account numbers, social security +numbers, and credit card numbers. " + desc "check", "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory +with a permission set to 640 or less permissive by using the following command: + +$ sudo find +/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\; + +If the command displays any output, +this is a finding. " + desc "fix", "Configure the Ubuntu operating system to set permissions of all log files under the +\"/var/log\" directory to 640 or more restricted by using the following command: + +$ sudo find +/var/log -perm /137 -type f -exec chmod 640 '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000205-GPOS-00083 " + tag gid: "V-238337 " + tag rid: "SV-238337r654186_rule " + tag stig_id: "UBTU-20-010416 " + tag fix_id: "F-41506r654185_fix " + tag cci: ["CCI-001312"] + tag nist: ["SI-11 a"] +end \ No newline at end of file diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb new file mode 100644 index 0000000..a9d6233 --- /dev/null +++ b/controls/SV-238338.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238338" do + title "The Ubuntu operating system must configure the /var/log directory to be group-owned by +syslog. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be +group-owned by syslog with the following command: + +$ sudo stat -c \"%n %G\" /var/log +/var/log +syslog + +If the \"/var/log\" directory is not group-owned by syslog, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by +running the following command: + +$ sudo chgrp syslog /var/log " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238338 " + tag rid: "SV-238338r654189_rule " + tag stig_id: "UBTU-20-010417 " + tag fix_id: "F-41507r654188_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb new file mode 100644 index 0000000..250c531 --- /dev/null +++ b/controls/SV-238339.rb @@ -0,0 +1,36 @@ +# encoding: UTF-8 + +control "SV-238339" do + title "The Ubuntu operating system must configure the /var/log directory to be owned by root. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root +with the following command: + +$ sudo stat -c \"%n %U\" /var/log +/var/log root + +If the +\"/var/log\" directory is not owned by root, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running +the following command: + +$ sudo chown root /var/log " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238339 " + tag rid: "SV-238339r654192_rule " + tag stig_id: "UBTU-20-010418 " + tag fix_id: "F-41508r654191_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb new file mode 100644 index 0000000..413aa7f --- /dev/null +++ b/controls/SV-238340.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238340" do + title "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less +permissive. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of +750 or less permissive with the following command: + +$ stat -c \"%n %a\" /var/log + +/var/log 750 + + +If a value of \"750\" or less permissive is not returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\" +directory by running the following command: + +$ sudo chmod 0750 /var/log " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238340 " + tag rid: "SV-238340r654195_rule " + tag stig_id: "UBTU-20-010419 " + tag fix_id: "F-41509r654194_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb new file mode 100644 index 0000000..70a3fd1 --- /dev/null +++ b/controls/SV-238341.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238341" do + title "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by +adm. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be +group-owned by adm with the following command: + +$ sudo stat -c \"%n %G\" /var/log/syslog + +/var/log/syslog adm + +If the \"/var/log/syslog\" file is not group-owned by adm, this is a +finding. " + desc "fix", "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by +running the following command: + +$ sudo chgrp adm /var/log/syslog " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238341 " + tag rid: "SV-238341r654198_rule " + tag stig_id: "UBTU-20-010420 " + tag fix_id: "F-41510r654197_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb new file mode 100644 index 0000000..be44b39 --- /dev/null +++ b/controls/SV-238342.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238342" do + title "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by +syslog with the following command: + +$ sudo stat -c \"%n %U\" /var/log/syslog + +/var/log/syslog syslog + +If the \"/var/log/syslog\" file is not owned by syslog, this is a +finding. " + desc "fix", "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by +running the following command: + +$ sudo chown syslog /var/log/syslog " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238342 " + tag rid: "SV-238342r654201_rule " + tag stig_id: "UBTU-20-010421 " + tag fix_id: "F-41511r654200_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb new file mode 100644 index 0000000..4d44d31 --- /dev/null +++ b/controls/SV-238343.rb @@ -0,0 +1,39 @@ +# encoding: UTF-8 + +control "SV-238343" do + title "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less +permissive. " + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by +organizational policy and operational requirements. " + desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode +0640 or less permissive by running the following command: + +$ sudo stat -c \"%n %a\" +/var/log/syslog + +/var/log/syslog 640 + +If a value of \"640\" or less permissive is not +returned, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\" +file by running the following command: + +$ sudo chmod 0640 /var/log/syslog " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000206-GPOS-00084 " + tag gid: "V-238343 " + tag rid: "SV-238343r654204_rule " + tag stig_id: "UBTU-20-010422 " + tag fix_id: "F-41512r654203_fix " + tag cci: ["CCI-001314"] + tag nist: ["SI-11 b"] +end \ No newline at end of file diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb new file mode 100644 index 0000000..d9ac87e --- /dev/null +++ b/controls/SV-238344.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238344" do + title "The Ubuntu operating system must have directories that contain system commands set to a mode +of 0755 or less permissive. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. " + desc "check", "Verify the system commands directories have mode 0755 or less permissive: + +/bin +/sbin + +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin + +Check that the system command +directories have mode 0755 or less permissive with the following command: + +$ find /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\" +'{}' \\; + +If any directories are found to be group-writable or world-writable, this is a +finding. " + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin +/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238344 " + tag rid: "SV-238344r654207_rule " + tag stig_id: "UBTU-20-010423 " + tag fix_id: "F-41513r654206_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb new file mode 100644 index 0000000..66cb98f --- /dev/null +++ b/controls/SV-238345.rb @@ -0,0 +1,51 @@ +# encoding: UTF-8 + +control "SV-238345" do + title "The Ubuntu operating system must have directories that contain system commands owned by +root. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. " + desc "check", "Verify the system commands directories are owned by root: + +/bin +/sbin +/usr/bin + +/usr/sbin +/usr/local/bin +/usr/local/sbin + +Use the following command for the check: + + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root +-type d -exec stat -c \"%n %U\" '{}' \\; + +If any system commands directories are returned, this is +a finding. " + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin +/usr/local/sbin ! -user root -type d -exec chown root '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238345 " + tag rid: "SV-238345r654210_rule " + tag stig_id: "UBTU-20-010424 " + tag fix_id: "F-41514r654209_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb new file mode 100644 index 0000000..11a2e1e --- /dev/null +++ b/controls/SV-238346.rb @@ -0,0 +1,52 @@ +# encoding: UTF-8 + +control "SV-238346" do + title "The Ubuntu operating system must have directories that contain system commands group-owned +by root. " + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. " + desc "check", "Verify the system commands directories are group-owned by root: + +/bin +/sbin +/usr/bin + +/usr/sbin +/usr/local/bin +/usr/local/sbin + +Run the check with the following command: + + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root +-type d -exec stat -c \"%n %G\" '{}' \\; + +If any system commands directories are returned that are +not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a +finding. " + desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin +/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000258-GPOS-00099 " + tag gid: "V-238346 " + tag rid: "SV-238346r654213_rule " + tag stig_id: "UBTU-20-010425 " + tag fix_id: "F-41515r654212_fix " + tag cci: ["CCI-001495"] + tag nist: ["AU-9"] +end \ No newline at end of file diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb new file mode 100644 index 0000000..40b040b --- /dev/null +++ b/controls/SV-238347.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238347" do + title "The Ubuntu operating system library files must have mode 0755 or less permissive. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +and \"/usr/lib\" have mode 0755 or less permissive with the following command: + +$ sudo find +/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\; + +/usr/lib64/pkcs11-spy.so + +If any files are found to be group-writable or +world-writable, this is a finding. " + desc "fix", "Configure the library files to be protected from unauthorized access. Run the following +command: + +$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238347 " + tag rid: "SV-238347r654216_rule " + tag stig_id: "UBTU-20-010426 " + tag fix_id: "F-41516r654215_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb new file mode 100644 index 0000000..3ea8241 --- /dev/null +++ b/controls/SV-238348.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238348" do + title "The Ubuntu operating system library directories must have mode 0755 or less permissive. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have +mode 0755 or less permissive with the following command: + +$ sudo find /lib /lib64 /usr/lib +-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\; + +If any of the aforementioned directories are +found to be group-writable or world-writable, this is a finding. " + desc "fix", "Configure the shared library directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' +\\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238348 " + tag rid: "SV-238348r654219_rule " + tag stig_id: "UBTU-20-010427 " + tag fix_id: "F-41517r654218_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb new file mode 100644 index 0000000..e31026c --- /dev/null +++ b/controls/SV-238349.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238349" do + title "The Ubuntu operating system library files must be owned by root. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +and \"/usr/lib\" are owned by root with the following command: + +$ sudo find /lib /usr/lib +/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\; + +If any system-wide library file is +returned, this is a finding. " + desc "fix", "Configure the system library files to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root +'{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238349 " + tag rid: "SV-238349r654222_rule " + tag stig_id: "UBTU-20-010428 " + tag fix_id: "F-41518r654221_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb new file mode 100644 index 0000000..6370458 --- /dev/null +++ b/controls/SV-238350.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238350" do + title "The Ubuntu operating system library directories must be owned by root. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +owned by root with the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type +d -exec stat -c \"%n %U\" '{}' \\; + +If any system-wide library directory is returned, this is a +finding. " + desc "fix", "Configure the library files and their respective parent directories to be protected from +unauthorized access. Run the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user +root -type d -exec chown root '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238350 " + tag rid: "SV-238350r654225_rule " + tag stig_id: "UBTU-20-010429 " + tag fix_id: "F-41519r654224_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb new file mode 100644 index 0000000..2a8586a --- /dev/null +++ b/controls/SV-238351.rb @@ -0,0 +1,38 @@ +# encoding: UTF-8 + +control "SV-238351" do + title "The Ubuntu operating system library files must be group-owned by root or a system account. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and +\"/usr/lib\" are group-owned by root, or a required system account, with the following +command: + +$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\; + + +If any system-wide shared library file is returned and is not group-owned by a required +system account, this is a finding. " + desc "fix", "Configure the system library files to be protected from unauthorized access. Run the +following command, replacing \"[FILE]\" with any system command file not group-owned by +\"root\" or a required system account: + +$ sudo chgrp root [FILE] " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238351 " + tag rid: "SV-238351r832962_rule " + tag stig_id: "UBTU-20-010430 " + tag fix_id: "F-41520r832961_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb new file mode 100644 index 0000000..cc11905 --- /dev/null +++ b/controls/SV-238352.rb @@ -0,0 +1,37 @@ +# encoding: UTF-8 + +control "SV-238352" do + title "The Ubuntu operating system library directories must be group-owned by root. " + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +group-owned by root with the following command: + +$ sudo find /lib /usr/lib /lib64 ! -group +root -type d -exec stat -c \"%n %G\" '{}' \\; + +If any system-wide shared library directory is +returned, this is a finding. " + desc "fix", "Configure the system library directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root +'{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238352 " + tag rid: "SV-238352r654231_rule " + tag stig_id: "UBTU-20-010431 " + tag fix_id: "F-41521r654230_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb new file mode 100644 index 0000000..866b4e5 --- /dev/null +++ b/controls/SV-238353.rb @@ -0,0 +1,66 @@ +# encoding: UTF-8 + +control "SV-238353" do + title "The Ubuntu operating system must be configured to preserve log records from failure events. " + desc "Failure to a known state can address safety or security in accordance with the +mission/business needs of the organization. Failure to a known secure state helps prevent a +loss of confidentiality, integrity, or availability in the event of a failure of the +information system or a component of the system. + +Preserving operating system state +information helps to facilitate operating system restart and return to the operational mode +of the organization with least disruption to mission/business processes. " + desc "check", "Verify the log service is configured to collect system failure events. + +Check that the log +service is installed properly with the following command: + +$ dpkg -l | grep rsyslog + +ii +rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon + +If the \"rsyslog\" +package is not installed, this is a finding. + +Check that the log service is enabled with the +following command: + +$ systemctl is-enabled rsyslog + +enabled + +If the command above +returns \"disabled\", this is a finding. + +Check that the log service is properly running and +active on the system with the following command: + +$ systemctl is-active rsyslog + +active + + +If the command above returns \"inactive\", this is a finding. " + desc "fix", "Configure the log service to collect failure events. + +Install the log service (if the log +service is not already installed) with the following command: + +$ sudo apt-get install +rsyslog + +Enable the log service with the following command: + +$ sudo systemctl enable --now +rsyslog " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000269-GPOS-00103 " + tag gid: "V-238353 " + tag rid: "SV-238353r654234_rule " + tag stig_id: "UBTU-20-010432 " + tag fix_id: "F-41522r654233_fix " + tag cci: ["CCI-001665"] + tag nist: ["SC-24"] +end \ No newline at end of file diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb new file mode 100644 index 0000000..b6f81b4 --- /dev/null +++ b/controls/SV-238354.rb @@ -0,0 +1,46 @@ +# encoding: UTF-8 + +control "SV-238354" do + title "The Ubuntu operating system must have an application firewall installed in order to control +remote access methods. " + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, +workstations, notebook computers, smartphones, and tablets). " + desc "check", "Verify that the Uncomplicated Firewall is installed with the following command: + +$ dpkg -l | +grep ufw + +ii ufw 0.36-6 + +If the \"ufw\" package is not installed, ask the System Administrator +if another application firewall is installed. + +If no application firewall is installed, +this is a finding. " + desc "fix", "Install the Uncomplicated Firewall by using the following command: + +$ sudo apt-get install +ufw " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000297-GPOS-00115 " + tag gid: "V-238354 " + tag rid: "SV-238354r853429_rule " + tag stig_id: "UBTU-20-010433 " + tag fix_id: "F-41523r654236_fix " + tag cci: ["CCI-002314"] + tag nist: ["AC-17 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb new file mode 100644 index 0000000..cd15fc7 --- /dev/null +++ b/controls/SV-238355.rb @@ -0,0 +1,54 @@ +# encoding: UTF-8 + +control "SV-238355" do + title "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). " + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, +workstations, notebook computers, smartphones, and tablets). " + desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: + + +$ systemctl is-enabled ufw + +If the above command returns the status as \"disabled\", this is +a finding. + +Verify the Uncomplicated Firewall is active on the system by running the +following command: + +$ systemctl is-active ufw + +If the above command returns \"inactive\" or +any kind of error, this is a finding. + +If the Uncomplicated Firewall is not installed, ask the +System Administrator if another application firewall is installed. + +If no application +firewall is installed, this is a finding. " + desc "fix", "Enable the Uncomplicated Firewall by using the following command: + +$ sudo systemctl enable +--now ufw.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000297-GPOS-00115 " + tag gid: "V-238355 " + tag rid: "SV-238355r853430_rule " + tag stig_id: "UBTU-20-010434 " + tag fix_id: "F-41524r654239_fix " + tag cci: ["CCI-002314"] + tag nist: ["AC-17 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb new file mode 100644 index 0000000..bfad302 --- /dev/null +++ b/controls/SV-238356.rb @@ -0,0 +1,74 @@ +# encoding: UTF-8 + +control "SV-238356" do + title "The Ubuntu operating system must, for networked systems, compare internal information +system clocks at least every 24 hours with a server which is synchronized to one of the +redundant United States Naval Observatory (USNO) time servers, or a time server designated +for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System +(GPS). " + desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. Sources +outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing +internal information system clocks provides uniformity of time stamps for information +systems with multiple system clocks and systems connected over a network. + +Organizations +should consider endpoints that may not have regular access to the authoritative time server +(e.g., mobile, teleworking, and tactical endpoints). " + desc "check", "If the system is not networked, this requirement is Not Applicable. + +The system clock must be +configured to compare the system clock at least every 24 hours to the authoritative time +source. + +Check the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the +following command: + +$ sudo grep maxpoll /etc/chrony/chrony.conf +server +tick.usno.navy.mil iburst maxpoll 16 + +If the \"maxpoll\" option is set to a number greater +than 16 or the line is commented out, this is a finding. + +Verify that the \"chrony.conf\" file is +configured to an authoritative DoD time source by running the following command: + +$ grep -i +server /etc/chrony/chrony.conf +server tick.usno.navy.mil iburst maxpoll 16 +server +tock.usno.navy.mil iburst maxpoll 16 +server ntp2.usno.navy.mil iburst maxpoll 16 + +If +the parameter \"server\" is not set, is not set to an authoritative DoD time source, or is +commented out, this is a finding. " + desc "fix", "If the system is not networked, this requirement is Not Applicable. + +To configure the system +clock to compare the system clock at least every 24 hours to the authoritative time source, +edit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing +\"[source]\" in the following line with an authoritative DoD time source: + +server [source] +iburst maxpoll = 16 + +If the \"chrony\" service was running and the value of \"maxpoll\" or +\"server\" was updated, the service must be restarted using the following command: + +$ sudo +systemctl restart chrony.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000355-GPOS-00143 " + tag gid: "V-238356 " + tag rid: "SV-238356r853431_rule " + tag stig_id: "UBTU-20-010435 " + tag fix_id: "F-41525r808491_fix " + tag cci: ["CCI-001891"] + tag nist: ["AU-8 (1) (a)"] +end \ No newline at end of file diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb new file mode 100644 index 0000000..1257f7e --- /dev/null +++ b/controls/SV-238357.rb @@ -0,0 +1,54 @@ +# encoding: UTF-8 + +control "SV-238357" do + title "The Ubuntu operating system must synchronize internal information system clocks to the +authoritative time source when the time difference is greater than one second. " + desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. + + +Synchronizing internal information system clocks provides uniformity of time stamps for +information systems with multiple system clocks and systems connected over a network. +Organizations should consider setting time periods for different types of systems (e.g., +financial, legal, or mission-critical systems). + +Organizations should also consider +endpoints that may not have regular access to the authoritative time server (e.g., mobile, +teleworking, and tactical endpoints). This requirement is related to the comparison done +every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the +time difference. " + desc "check", "Verify the operating system synchronizes internal system clocks to the authoritative time +source when the time difference is greater than one second. + +Check the value of \"makestep\" by +running the following command: + +$ sudo grep makestep /etc/chrony/chrony.conf + +makestep +1 -1 + +If the makestep option is commented out or is not set to \"1 -1\", this is a finding. " + desc "fix", "Configure chrony to synchronize the internal system clocks to the authoritative source when +the time difference is greater than one second by doing the following: + +Edit the +\"/etc/chrony/chrony.conf\" file and add: + +makestep 1 -1 + +Restart the chrony service: + +$ +sudo systemctl restart chrony.service " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000356-GPOS-00144 " + tag gid: "V-238357 " + tag rid: "SV-238357r853432_rule " + tag stig_id: "UBTU-20-010436 " + tag fix_id: "F-41526r654245_fix " + tag cci: ["CCI-002046"] + tag nist: ["AU-8 (1) (b)"] +end \ No newline at end of file diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb new file mode 100644 index 0000000..738e9b4 --- /dev/null +++ b/controls/SV-238358.rb @@ -0,0 +1,46 @@ +# encoding: UTF-8 + +control "SV-238358" do + title "The Ubuntu operating system must notify designated personnel if baseline configurations +are changed in an unauthorized manner. The file integrity tool must notify the System +Administrator when changes to the baseline configuration or anomalies in the oper " + desc "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the operating system. Changes to operating +system configurations can have unintended side effects, some of which may be relevant to +security. + +Detecting such changes and providing an automated response can help avoid +unintended, negative consequences that could ultimately affect the security state of the +operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or +monitoring system trap when there is an unauthorized modification of a configuration item. " + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System +Administrator + when anomalies in the operation of any security functions are discovered +with the following command: + +$ grep SILENTREPORTS /etc/default/aide + +SILENTREPORTS=no + + +If SILENTREPORTS is commented out, this is a finding. + +If SILENTREPORTS is set to \"yes\", +this is a finding. + +If SILENTREPORTS is not set to \"no\", this is a finding. " + desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline +configurations are changed in an unauthorized manner. + +Modify the \"SILENTREPORTS\" +parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000363-GPOS-00150 " + tag gid: "V-238358 " + tag rid: "SV-238358r853433_rule " + tag stig_id: "UBTU-20-010437 " + tag fix_id: "F-41527r654248_fix " + tag cci: ["CCI-001744"] + tag nist: ["CM-3 (5)"] +end \ No newline at end of file diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb new file mode 100644 index 0000000..cfcc7f1 --- /dev/null +++ b/controls/SV-238359.rb @@ -0,0 +1,58 @@ +# encoding: UTF-8 + +control "SV-238359" do + title "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the +installation of patches, service packs, device drivers, or Ubuntu operating system +components without verification they have been digitally signed using a certificate that is +recognized and approved by the organization. " + desc "Changes to any software components can have significant effects on the overall security of +the operating system. This requirement ensures the software has not been tampered with and +that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device +drivers, or operating system components must be signed with a certificate recognized and +approved by the organization. + +Verifying the authenticity of the software prior to +installation validates the integrity of the patch or upgrade received from a vendor. This +ensures the software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The operating system +should not have to verify the software again. This requirement does not mandate DoD +certificates for this purpose; however, the certificate used to verify the software must be +from an approved CA. " + desc "check", "Verify that APT is configured to prevent the installation of patches, service packs, device +drivers, or Ubuntu operating system components without verification they have been +digitally signed using a certificate that is recognized and approved by the organization. + + +Check that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the +following command: + +$ grep AllowUnauthenticated /etc/apt/apt.conf.d/* + +/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\"; + + +If any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\", +this is a finding. " + desc "fix", "Configure APT to prevent the installation of patches, service packs, device drivers, or +Ubuntu operating system components without verification they have been digitally signed +using a certificate that is recognized and approved by the organization. + +Remove/update +any APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\", +or remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the +\"AllowUnauthenticated\" variable to \"false\": + +APT::Get::AllowUnauthenticated +\"false\"; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000366-GPOS-00153 " + tag gid: "V-238359 " + tag rid: "SV-238359r853434_rule " + tag stig_id: "UBTU-20-010438 " + tag fix_id: "F-41528r654251_fix " + tag cci: ["CCI-001749"] + tag nist: ["CM-5 (3)"] +end \ No newline at end of file diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb new file mode 100644 index 0000000..ab11714 --- /dev/null +++ b/controls/SV-238360.rb @@ -0,0 +1,73 @@ +# encoding: UTF-8 + +control "SV-238360" do + title "The Ubuntu operating system must be configured to use AppArmor. " + desc "Control of program execution is a mechanism used to prevent execution of unauthorized +programs. Some operating systems may provide a capability that runs counter to the mission or +provides users with functionality that exceeds mission requirements. This includes +functions and services installed at the operating system-level. + +Some of the programs, +installed by default, may be harmful or may not be necessary to support essential +organizational operations (e.g., key missions, functions). Removal of executable +programs is not always possible; therefore, establishing a method of preventing program +execution is critical to maintaining a secure system baseline. + +Methods for complying with +this requirement include restricting execution of programs in certain environments, while +preventing execution in other environments; or limiting execution of certain program +functionality based on organization-defined criteria (e.g., privileges, subnets, +sandboxed environments, or roles). + + " + desc "check", "Verify the operating system prevents program execution in accordance with local policies. + + +Check that AppArmor is installed and active by running the following command, + +$ dpkg -l | +grep apparmor + +If the \"apparmor\" package is not installed, this is a finding. + +$ systemctl +is-active apparmor.service + +active + +If \"active\" is not returned, this is a finding. + +$ +systemctl is-enabled apparmor.service + +enabled + +If \"enabled\" is not returned, this is a +finding. " + desc "fix", "Install \"AppArmor\" (if it is not installed) with the following command: + +$ sudo apt-get +install apparmor + +$ sudo systemctl enable apparmor.service + +Start \"apparmor\" with the +following command: + +$ sudo systemctl start apparmor.service + +Note: AppArmor must have +properly configured profiles for applications and home directories. All configurations +will be based on the actual system setup and organization and normally are on a per role basis. +See the AppArmor documentation for more information on configuring profiles. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000368-GPOS-00154 " + tag satisfies: ["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"] + tag gid: "V-238360 " + tag rid: "SV-238360r853435_rule " + tag stig_id: "UBTU-20-010439 " + tag fix_id: "F-41529r654254_fix " + tag cci: ["CCI-001764","CCI-001774","CCI-002165","CCI-002235"] + tag nist: ["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"] +end \ No newline at end of file diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb new file mode 100644 index 0000000..9150158 --- /dev/null +++ b/controls/SV-238361.rb @@ -0,0 +1,40 @@ +# encoding: UTF-8 + +control "SV-238361" do + title "The Ubuntu operating system must allow the use of a temporary password for system logons with +an immediate change to a permanent password. " + desc "Without providing this capability, an account may be created without a password. +Non-repudiation cannot be guaranteed once an account is created if a user is not forced to +change the temporary password upon initial logon. + +Temporary passwords are typically used +to allow access when new accounts are created or passwords are changed. It is common practice +for administrators to create temporary passwords for user accounts which allow the users to +log on, yet force them to change the password once they have successfully authenticated. " + desc "check", "Verify a policy exists that ensures when a user account is created, it is created using a method +that forces a user to change their password upon their next login. + +If a policy does not exist, +this is a finding. " + desc "fix", "Create a policy that ensures when a user is created, it is created using a method that forces a +user to change their password upon their next login. + +Below are two examples of how to create a +user account that requires the user to change their password upon their next login. + +$ sudo +chage -d 0 [UserName] + +or + +$ sudo passwd -e [UserName] " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000380-GPOS-00165 " + tag gid: "V-238361 " + tag rid: "SV-238361r853436_rule " + tag stig_id: "UBTU-20-010440 " + tag fix_id: "F-41530r654257_fix " + tag cci: ["CCI-002041"] + tag nist: ["IA-5 (1) (f)"] +end \ No newline at end of file diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb new file mode 100644 index 0000000..4dbe90c --- /dev/null +++ b/controls/SV-238362.rb @@ -0,0 +1,40 @@ +# encoding: UTF-8 + +control "SV-238362" do + title "The Ubuntu operating system must be configured such that Pluggable Authentication Module +(PAM) prohibits the use of cached authentications after one day. " + desc "If cached authentication information is out-of-date, the validity of the authentication +information may be questionable. " + desc "check", "If smart card authentication is not being used on the system, this s Not Applicable. + +Verify +that PAM prohibits the use of cached authentications after one day with the following +command: + +$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf +/etc/sssd/conf.d/*.conf + +offline_credentials_expiration = 1 + +If +\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or +in a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding. " + desc "fix", "Configure PAM to prohibit the use of cached authentications after one day. Add or change the +following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\": + + +offline_credentials_expiration = 1 + +Note: It is valid for this configuration to be in a +file with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\" +directory instead of the \"/etc/sssd/sssd.conf\" file. " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000383-GPOS-00166 " + tag gid: "V-238362 " + tag rid: "SV-238362r853437_rule " + tag stig_id: "UBTU-20-010441 " + tag fix_id: "F-41531r654260_fix " + tag cci: ["CCI-002007"] + tag nist: ["IA-5 (13)"] +end \ No newline at end of file diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb new file mode 100644 index 0000000..84c84dc --- /dev/null +++ b/controls/SV-238363.rb @@ -0,0 +1,42 @@ +# encoding: UTF-8 + +control "SV-238363" do + title "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect +classified information and for the following: to provision digital signatures, to generate +cryptographic hashes, and to protect unclassified information requiring confidentiality +and cryptographic protection in accordance with applicable federal laws, Executive +Orders, directives, policies, regulations, and standards. " + desc "Use of weak or untested encryption algorithms undermines the purposes of utilizing +encryption to protect data. The operating system must implement cryptographic modules +adhering to the higher standards approved by the federal government since this provides +assurance they have been tested and validated. + + " + desc "check", "Verify the system is configured to run in FIPS mode with the following command: + +$ grep -i 1 +/proc/sys/crypto/fips_enabled +1 + +If a value of \"1\" is not returned, this is a finding. " + desc "fix", "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the +Ubuntu operating systems install. + +Enabling a FIPS mode on a pre-existing system involves a +number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS +140-2 security policy document for instructions. + +A subscription to the \"Ubuntu +Advantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and +enable FIPS. " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000396-GPOS-00176 " + tag satisfies: ["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"] + tag gid: "V-238363 " + tag rid: "SV-238363r853438_rule " + tag stig_id: "UBTU-20-010442 " + tag fix_id: "F-41532r654263_fix " + tag cci: ["CCI-002450"] + tag nist: ["SC-13 b"] +end \ No newline at end of file diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb new file mode 100644 index 0000000..a706c14 --- /dev/null +++ b/controls/SV-238364.rb @@ -0,0 +1,55 @@ +# encoding: UTF-8 + +control "SV-238364" do + title "The Ubuntu operating system must only allow the use of DoD PKI-established certificate +authorities for verification of the establishment of protected sessions. " + desc "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by +organizations or individuals that seek to compromise DoD systems or by organizations with +insufficient security controls. If the CA used for verifying the certificate is not a +DoD-approved CA, trust of this CA has not been established. + +The DoD will only accept +PKI-certificates obtained from a DoD-approved internal or external certificate +authority. Reliance on CAs for the establishment of secure sessions includes, for example, +the use of SSL/TLS certificates. " + desc "check", "Verify the directory containing the root certificates for the Ubuntu operating system +(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate +authorities. + +Determine if \"/etc/ssl/certs\" only contains certificate files whose +sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities +with the following command: + +$ for f in $(realpath /etc/ssl/certs/*); do openssl x509 +-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; +done + +If any entry is found, this is a finding. " + desc "fix", "Configure the Ubuntu operating system to only allow the use of DoD PKI-established +certificate authorities for verification of the establishment of protected sessions. + + +Edit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of +all uncommented lines that do not start with the \"!\" character with the following command: + +$ +sudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf + +Add at least one DoD +certificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM +format. + +Update the \"/etc/ssl/certs\" directory with the following command: + +$ sudo +update-ca-certificates " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000403-GPOS-00182 " + tag gid: "V-238364 " + tag rid: "SV-238364r860824_rule " + tag stig_id: "UBTU-20-010443 " + tag fix_id: "F-41533r860823_fix " + tag cci: ["CCI-002470"] + tag nist: ["SC-23 (5)"] +end \ No newline at end of file diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb new file mode 100644 index 0000000..6260f7c --- /dev/null +++ b/controls/SV-238365.rb @@ -0,0 +1,69 @@ +# encoding: UTF-8 + +control "SV-238365" do + title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized +modification of all information at rest. " + desc "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk +encryption) or encrypt specific data structures (e.g., files, records, or fields). " + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + +$ +sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB + +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify that the system partitions +are all encrypted with the following command: + +$ more /etc/crypttab + +Every persistent +disk partition present must have an entry in the file. + +If any partitions other than the boot +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + + +Note: Encrypting a partition in an already-installed system is more difficult because it +will need to be resized and existing partitions changed. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000404-GPOS-00183 " + tag gid: "V-238365 " + tag rid: "SV-238365r853442_rule " + tag stig_id: "UBTU-20-010444 " + tag fix_id: "F-41534r654269_fix " + tag cci: ["CCI-002475"] + tag nist: ["SC-28 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb new file mode 100644 index 0000000..7c9d275 --- /dev/null +++ b/controls/SV-238366.rb @@ -0,0 +1,69 @@ +# encoding: UTF-8 + +control "SV-238366" do + title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized +disclosure of all information at rest. " + desc "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk +encryption) or encrypt specific data structures (e.g., files, records, or fields). " + desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + + +$sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB + +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify that the system partitions +are all encrypted with the following command: + +$ more /etc/crypttab + +Every persistent +disk partition present must have an entry in the file. + +If any partitions other than the boot +partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " + desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + + +Note: Encrypting a partition in an already-installed system is more difficult because it +will need to be resized and existing partitions changed. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000405-GPOS-00184 " + tag gid: "V-238366 " + tag rid: "SV-238366r853443_rule " + tag stig_id: "UBTU-20-010445 " + tag fix_id: "F-41535r654272_fix " + tag cci: ["CCI-002476"] + tag nist: ["SC-28 (1)"] +end \ No newline at end of file diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb new file mode 100644 index 0000000..b36ba24 --- /dev/null +++ b/controls/SV-238367.rb @@ -0,0 +1,77 @@ +# encoding: UTF-8 + +control "SV-238367" do + title "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit +impacted network interfaces. " + desc "Denial of service (DoS) is a condition when a resource is not available for legitimate users. +When this occurs, the organization either cannot accomplish its mission or must operate at +degraded capacity. + +This requirement addresses the configuration of the operating system +to mitigate the impact of DoS attacks that have occurred or are ongoing on system +availability. For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exist to limit or, in some +cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing +memory partitions). Employing increased capacity and bandwidth, combined with service +redundancy, may reduce the susceptibility to some DoS attacks. " + desc "check", "Verify an application firewall is configured to rate limit any connection to the system. + + +Check all the services listening to the ports with the following command: + +$ sudo ss -l46ut + + +Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process +tcp LISTEN 0 128 +[::]:ssh [::]:* + +For each entry, verify that the Uncomplicated Firewall is configured to +rate limit the service ports with the following command: + +$ sudo ufw status + +Status: active + + +To Action From +-- ------ ---- +22/tcp LIMIT Anywhere +22/tcp (v6) LIMIT Anywhere (v6) + +If +any port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding. " + desc "fix", "Configure the application firewall to protect against or limit the effects of DoS attacks by +ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted +network interfaces. + +Check all the services listening to the ports with the following +command: + +$ sudo ss -l46ut + +Netid State Recv-Q Send-Q Local Address:Port Peer +Address:Port Process +tcp LISTEN 0 128 [::]:ssh [::]:* + +For each service with a port +listening to connections, run the following command, replacing \"[service]\" with the +service that needs to be rate limited. + +$ sudo ufw limit [service] + +Rate-limiting can also +be done on an interface. An example of adding a rate-limit on the eth0 interface follows: + +$ +sudo ufw limit in on eth0 " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000420-GPOS-00186 " + tag gid: "V-238367 " + tag rid: "SV-238367r853444_rule " + tag stig_id: "UBTU-20-010446 " + tag fix_id: "F-41536r654275_fix " + tag cci: ["CCI-002385"] + tag nist: ["SC-5 a"] +end \ No newline at end of file diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb new file mode 100644 index 0000000..0a2cb91 --- /dev/null +++ b/controls/SV-238368.rb @@ -0,0 +1,44 @@ +# encoding: UTF-8 + +control "SV-238368" do + title "The Ubuntu operating system must implement non-executable data to protect its memory from +unauthorized code execution. " + desc "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples +of attacks are buffer overflow attacks. " + desc "check", "Verify the NX (no-execution) bit flag is set on the system with the following commands: + +$ +dmesg | grep -i \"execute disable\" +[ 0.000000] NX (Execute Disable) protection: active + +If +\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings +with the following command: + +$ grep flags /proc/cpuinfo | grep -w nx | sort -u +flags : fpu vme +de pse tsc ms nx rdtscp lm constant_tsc + +If \"flags\" does not contain the \"nx\" flag, this is a +finding. " + desc "fix", "Configure the Ubuntu operating system to enable NX. + +If \"nx\" is not showing up in +\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No +Execution bit, set it to \"enable\". " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000433-GPOS-00192 " + tag gid: "V-238368 " + tag rid: "SV-238368r853445_rule " + tag stig_id: "UBTU-20-010447 " + tag fix_id: "F-41537r654278_fix " + tag cci: ["CCI-002824"] + tag nist: ["SI-16"] +end \ No newline at end of file diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb new file mode 100644 index 0000000..a8eee68 --- /dev/null +++ b/controls/SV-238369.rb @@ -0,0 +1,58 @@ +# encoding: UTF-8 + +control "SV-238369" do + title "The Ubuntu operating system must implement address space layout randomization to protect +its memory from unauthorized code execution. " + desc "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples +of attacks are buffer overflow attacks. " + desc "check", "Verify the Ubuntu operating system implements address space layout randomization (ASLR) +with the following command: + +$ sudo sysctl kernel.randomize_va_space + + +kernel.randomize_va_space = 2 + +If nothing is returned, verify the kernel parameter +\"randomize_va_space\" is set to \"2\" with the following command: + +$ cat +/proc/sys/kernel/randomize_va_space + +2 + +If \"kernel.randomize_va_space\" is not set to +\"2\", this is a finding. + +Verify that a saved value of the \"kernel.randomize_va_space\" +variable is not defined. + +$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\" +/etc/sysctl.conf /etc/sysctl.d + +If this returns a result, this is a finding. " + desc "fix", "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any +file located in the \"/etc/sysctl.d/\" directory. + +After the line has been removed, the +kernel settings from all system configuration files must be reloaded before any of the +changes will take effect. Run the following command to reload all of the kernel system +configuration files: + +$ sudo sysctl --system " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000433-GPOS-00193 " + tag gid: "V-238369 " + tag rid: "SV-238369r853446_rule " + tag stig_id: "UBTU-20-010448 " + tag fix_id: "F-41538r654281_fix " + tag cci: ["CCI-002824"] + tag nist: ["SI-16"] +end \ No newline at end of file diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb new file mode 100644 index 0000000..b4d708b --- /dev/null +++ b/controls/SV-238370.rb @@ -0,0 +1,42 @@ +# encoding: UTF-8 + +control "SV-238370" do + title "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all +software components after updated versions have been installed. " + desc "Previous versions of software components that are not removed from the information system +after updates have been installed may be exploited by adversaries. Some information +technology products may remove older versions of software automatically from the +information system. " + desc "check", "Verify is configured to remove all software components after updated versions have been +installed with the following command: + +$ grep -i remove-unused +/etc/apt/apt.conf.d/50unattended-upgrades + +Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; + +If the +\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are +not set to \"true\" or are missing or commented out, this is a finding. " + desc "fix", "Configure APT to remove all software components after updated versions have been installed. + + +Add or updated the following options to the +\"/etc/apt/apt.conf.d/50unattended-upgrades\" file: + + +Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000437-GPOS-00194 " + tag gid: "V-238370 " + tag rid: "SV-238370r853447_rule " + tag stig_id: "UBTU-20-010449 " + tag fix_id: "F-41539r654284_fix " + tag cci: ["CCI-002617"] + tag nist: ["SI-2 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb new file mode 100644 index 0000000..71bdccc --- /dev/null +++ b/controls/SV-238371.rb @@ -0,0 +1,44 @@ +# encoding: UTF-8 + +control "SV-238371" do + title "The Ubuntu operating system must use a file integrity tool to verify correct operation of all +security functions. " + desc "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +This requirement +applies to the Ubuntu operating system performing security function verification/testing +and/or systems and environments that require this functionality. " + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the +correct operation of all security functions. + +Check that the AIDE package is installed with +the following command: + +$ sudo dpkg -l | grep aide +ii aide 0.16.1-1build2 amd64 Advanced +Intrusion Detection Environment - static binary + +If AIDE is not installed, ask the System +Administrator how file integrity checks are performed on the system. + +If no application is +installed to perform integrity checks, this is a finding. " + desc "fix", "Install the AIDE package by running the following command: + +$ sudo apt-get install aide " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000445-GPOS-00199 " + tag gid: "V-238371 " + tag rid: "SV-238371r853448_rule " + tag stig_id: "UBTU-20-010450 " + tag fix_id: "F-41540r654287_fix " + tag cci: ["CCI-002696"] + tag nist: ["SI-6 a"] +end \ No newline at end of file diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb new file mode 100644 index 0000000..ea607f9 --- /dev/null +++ b/controls/SV-238372.rb @@ -0,0 +1,43 @@ +# encoding: UTF-8 + +control "SV-238372" do + title "The Ubuntu operating system must notify designated personnel if baseline configurations +are changed in an unauthorized manner. The file integrity tool must notify the System +Administrator when changes to the baseline configuration or anomalies in the operation of +any security functions are discovered. " + desc "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the Ubuntu operating system. Changes to +Ubuntu operating system configurations can have unintended side effects, some of which may +be relevant to security. + +Detecting such changes and providing an automated response can +help avoid unintended, negative consequences that could ultimately affect the security +state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be +notified via email and/or monitoring system trap when there is an unauthorized modification +of a configuration item. " + desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System +Administrator + when anomalies in the operation of any security functions are discovered +with the following command: + +$ sudo grep SILENTREPORTS /etc/default/aide + + +SILENTREPORTS=no + +If SILENTREPORTS is uncommented and set to \"yes\", this is a finding. " + desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline +configurations are changed in an unauthorized manner. + +Modify the \"SILENTREPORTS\" +parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000447-GPOS-00201 " + tag gid: "V-238372 " + tag rid: "SV-238372r853449_rule " + tag stig_id: "UBTU-20-010451 " + tag fix_id: "F-41541r654290_fix " + tag cci: ["CCI-002702"] + tag nist: ["SI-6 d"] +end \ No newline at end of file diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb new file mode 100644 index 0000000..38519b9 --- /dev/null +++ b/controls/SV-238373.rb @@ -0,0 +1,43 @@ +# encoding: UTF-8 + +control "SV-238373" do + title "The Ubuntu operating system must display the date and time of the last successful account +logon upon logon. " + desc "Configuration settings are the set of parameters that can be changed in hardware, software, +or firmware components of the system that affect the security posture and/or functionality +of the system. Security-related parameters are those parameters impacting the security +state of the system, including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry settings; +account, file, directory permission settings; and settings for functions, ports, +protocols, services, and remote connections. " + desc "check", "Verify users are provided with feedback on when account accesses last occurred. + +Check that +\"pam_lastlog\" is used and not silent with the following command: + +$ grep pam_lastlog +/etc/pam.d/login + +session required pam_lastlog.so showfailed + +If \"pam_lastlog\" is +missing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present, +this is a finding. " + desc "fix", "Configure the Ubuntu operating system to provide users with feedback on when account +accesses last occurred by setting the required configuration options in +\"/etc/pam.d/login\". + +Add the following line to the top of \"/etc/pam.d/login\": + +session +required pam_lastlog.so showfailed " + impact 0.3 + tag severity: "low " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238373 " + tag rid: "SV-238373r858539_rule " + tag stig_id: "UBTU-20-010453 " + tag fix_id: "F-41542r654293_fix " + tag cci: ["CCI-000052"] + tag nist: ["AC-9"] +end \ No newline at end of file diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb new file mode 100644 index 0000000..9ac52d1 --- /dev/null +++ b/controls/SV-238374.rb @@ -0,0 +1,40 @@ +# encoding: UTF-8 + +control "SV-238374" do + title "The Ubuntu operating system must have an application firewall enabled. " + desc "Firewalls protect computers from network attacks by blocking or limiting access to open +network ports. Application firewalls limit which applications are allowed to communicate +over the network. " + desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: + + +$ systemctl status ufw.service | grep -i \"active:\" + +Active: active (exited) since Mon +2016-10-17 12:30:29 CDT; 1s ago + +If the above command returns the status as \"inactive\", this +is a finding. + +If the Uncomplicated Firewall is not installed, ask the System Administrator +if another application firewall is installed. If no application firewall is installed, this +is a finding. " + desc "fix", "Enable the Uncomplicated Firewall by using the following command: + +$ sudo systemctl enable +ufw.service + +If the Uncomplicated Firewall is not currently running on the system, start it +with the following command: + +$ sudo systemctl start ufw.service " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000480-GPOS-00232 " + tag gid: "V-238374 " + tag rid: "SV-238374r654297_rule " + tag stig_id: "UBTU-20-010454 " + tag fix_id: "F-41543r654296_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb new file mode 100644 index 0000000..d28316f --- /dev/null +++ b/controls/SV-238376.rb @@ -0,0 +1,48 @@ +# encoding: UTF-8 + +control "SV-238376" do + title "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. " + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system commands contained in the following directories have mode 0755 or less +permissive: + +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin + + +Check that the system command files have mode 0755 or less permissive with the following +command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm +/022 -type f -exec stat -c \"%n %a\" '{}' \\; + +If any files are found to be group-writable or +world-writable, this is a finding. " + desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following +command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm +/022 -type f -exec chmod 755 '{}' \\; " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238376 " + tag rid: "SV-238376r654303_rule " + tag stig_id: "UBTU-20-010456 " + tag fix_id: "F-41545r654302_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb new file mode 100644 index 0000000..410996e --- /dev/null +++ b/controls/SV-238377.rb @@ -0,0 +1,48 @@ +# encoding: UTF-8 + +control "SV-238377" do + title "The Ubuntu operating system must have system commands owned by root or a system account. " + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system commands contained in the following directories are owned by root, or a +required system account: + +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin + +/usr/local/sbin + +Use the following command for the check: + +$ sudo find /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\" +'{}' \\; + +If any system commands are returned and are not owned by a required system account, +this is a finding. " + desc "fix", "Configure the system commands and their respective parent directories to be protected from +unauthorized access. Run the following command, replacing \"[FILE]\" with any system command +file not owned by \"root\" or a required system account: + +$ sudo chown root [FILE] " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238377 " + tag rid: "SV-238377r832968_rule " + tag stig_id: "UBTU-20-010457 " + tag fix_id: "F-41546r832967_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb new file mode 100644 index 0000000..5b9dadd --- /dev/null +++ b/controls/SV-238378.rb @@ -0,0 +1,49 @@ +# encoding: UTF-8 + +control "SV-238378" do + title "The Ubuntu operating system must have system commands group-owned by root or a system +account. " + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating +changes, including upgrades and modifications. " + desc "check", "Verify the system commands contained in the following directories are group-owned by root or +a required system account: + +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin + +/usr/local/sbin + +Run the check with the following command: + +$ sudo find -L /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec +stat -c \"%n %G\" '{}' \\; + +If any system commands are returned that are not Set Group ID upon +execution (SGID) files and group-owned by a required system account, this is a finding. " + desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following +command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a +required system account: + +$ sudo chgrp root [FILE] " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000259-GPOS-00100 " + tag gid: "V-238378 " + tag rid: "SV-238378r832971_rule " + tag stig_id: "UBTU-20-010458 " + tag fix_id: "F-41547r832970_fix " + tag cci: ["CCI-001499"] + tag nist: ["CM-5 (6)"] +end \ No newline at end of file diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb new file mode 100644 index 0000000..053eeb7 --- /dev/null +++ b/controls/SV-238379.rb @@ -0,0 +1,48 @@ +# encoding: UTF-8 + +control "SV-238379" do + title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical +user interface is installed. " + desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional +reboot. In the graphical environment, risk of unintentional reboot from the +Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is +taken. " + desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when +Ctrl-Alt-Delete is pressed when using a graphical user interface. + +Check that the \"logout\" +target is not bound to an action with the following command: + +# grep logout +/etc/dconf/db/local.d/* + +logout='' + +If the \"logout\" key is bound to an action, is +commented out, or is missing, this is a finding. " + desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user +interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. + +Add +the setting to disable the Ctrl-Alt-Delete sequence for the graphical user +interface: + +[org/gnome/settings-daemon/plugins/media-keys] +logout='' + +Update the +dconf settings: + +# dconf update " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238379 " + tag rid: "SV-238379r654312_rule " + tag stig_id: "UBTU-20-010459 " + tag fix_id: "F-41548r654311_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb new file mode 100644 index 0000000..12efed9 --- /dev/null +++ b/controls/SV-238380.rb @@ -0,0 +1,45 @@ +# encoding: UTF-8 + +control "SV-238380" do + title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. " + desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional +reboot. " + desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when +Ctrl-Alt-Delete is pressed. + +Check that the \"ctrl-alt-del.target\" (otherwise also known +as reboot.target) is not active with the following command: + +$ sudo systemctl status +ctrl-alt-del.target +ctrl-alt-del.target +Loaded: masked (Reason: Unit +ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the \"ctrl-alt-del.target\" +is not masked, this is a finding. " + desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the +following commands: + +$ sudo systemctl disable ctrl-alt-del.target + +$ sudo systemctl +mask ctrl-alt-del.target + +Reload the daemon to take effect: + +$ sudo systemctl +daemon-reload " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-238380 " + tag rid: "SV-238380r832974_rule " + tag stig_id: "UBTU-20-010460 " + tag fix_id: "F-41549r832973_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb new file mode 100644 index 0000000..04885d3 --- /dev/null +++ b/controls/SV-251503.rb @@ -0,0 +1,31 @@ +# encoding: UTF-8 + +control "SV-251503" do + title "The Ubuntu operating system must not have accounts configured with blank or null passwords. " + desc "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational +environments. " + desc "check", "Check the \"/etc/shadow\" file for blank passwords with the following command: + +$ sudo awk -F: +'!$2 {print $1}' /etc/shadow + +If the command returns any results, this is a finding. " + desc "fix", "Configure all accounts on the system to have a password or lock the account with the following +commands: + +Perform a password reset: +$ sudo passwd [username] +Lock an account: +$ sudo +passwd -l [username] " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-251503 " + tag rid: "SV-251503r808506_rule " + tag stig_id: "UBTU-20-010462 " + tag fix_id: "F-54892r808505_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb new file mode 100644 index 0000000..4c0baae --- /dev/null +++ b/controls/SV-251504.rb @@ -0,0 +1,32 @@ +# encoding: UTF-8 + +control "SV-251504" do + title "The Ubuntu operating system must not allow accounts configured with blank or null passwords. " + desc "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational +environments. " + desc "check", "To verify that null passwords cannot be used, run the following command: + +$ grep nullok +/etc/pam.d/common-password + +If this produces any output, it may be possible to log on with +accounts with empty passwords. + +If null passwords can be used, this is a finding. " + desc "fix", "If an account is configured for password authentication but does not have an assigned +password, it may be possible to log on to the account without authenticating. + +Remove any +instances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with +empty passwords. " + impact 0.7 + tag severity: "high " + tag gtitle: "SRG-OS-000480-GPOS-00227 " + tag gid: "V-251504 " + tag rid: "SV-251504r832977_rule " + tag stig_id: "UBTU-20-010463 " + tag fix_id: "F-54893r832976_fix " + tag cci: ["CCI-000366"] + tag nist: ["CM-6 b"] +end \ No newline at end of file diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb new file mode 100644 index 0000000..ec71454 --- /dev/null +++ b/controls/SV-251505.rb @@ -0,0 +1,54 @@ +# encoding: UTF-8 + +control "SV-251505" do + title "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) +mass storage driver. " + desc "Without authenticating devices, unidentified or unknown devices may be introduced, +thereby facilitating malicious activity. + +Peripherals include, but are not limited to, +such devices as flash drives, external storage, and printers. " + desc "check", "Verify that Ubuntu operating system disables ability to load the USB storage kernel +module. + +# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\" + +install usb-storage +/bin/true + +If the command does not return any output, or the line is commented out, this is a +finding. + +Verify the operating system disables the ability to use USB mass storage +device. + +# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" + +blacklist +usb-storage + +If the command does not return any output, or the line is commented out, this is a +finding. " + desc "fix", "Configure the Ubuntu operating system to disable using the USB storage kernel module. + + +Create a file under \"/etc/modprobe.d\" to contain the following: + +# sudo su -c \"echo +install usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\" + +Configure the +operating system to disable the ability to use USB mass storage devices. + +# sudo su -c \"echo +blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\" " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000378-GPOS-00163 " + tag gid: "V-251505 " + tag rid: "SV-251505r853450_rule " + tag stig_id: "UBTU-20-010461 " + tag fix_id: "F-54894r808511_fix " + tag cci: ["CCI-001958"] + tag nist: ["IA-3"] +end \ No newline at end of file diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb new file mode 100644 index 0000000..5771d87 --- /dev/null +++ b/controls/SV-252704.rb @@ -0,0 +1,77 @@ +# encoding: UTF-8 + +control "SV-252704" do + title "The Ubuntu operating system must disable all wireless network adapters. " + desc "Without protection of communications with wireless peripherals, confidentiality and +integrity may be compromised because unprotected communications can be intercepted and +either read, altered, or used to compromise the operating system. + +This requirement +applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, +etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR +Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique +challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet +DoD requirements for wireless data transmission and be approved for use by the AO. Even though +some wireless peripherals, such as mice and pointing devices, do not ordinarily carry +information that need to be protected, modification of communications with these wireless +peripherals may be used to compromise the operating system. Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of interception +and modification. + +Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing physical +barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic +techniques). If physical means of protection are employed, then logical means +(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only +passing telemetry data, encryption of the data may not be required. " + desc "check", "Note: This requirement is Not Applicable for systems that do not have physical wireless +network radios. + +Verify that there are no wireless interfaces configured on the system with +the following command: + +$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs +basename + +If a wireless interface is configured and has not been documented and approved by +the ISSO, this is a finding. " + desc "fix", "List all the wireless interfaces with the following command: + +$ ls -L -d +/sys/class/net/*/wireless | xargs dirname | xargs basename + +For each interface, +configure the system to disable wireless network interfaces with the following command: + +$ +sudo ifdown <interface name> + +For each interface listed, find their respective +module with the following command: + +$ basename $(readlink -f +/sys/class/net/<interface name>/device/driver) + +where <interface name> +must be substituted by the actual interface name. + +Create a file in the \"/etc/modprobe.d\" +directory and for each module, add the following line: + +install <module name> +/bin/true + +For each module from the system, execute the following command to remove it: + +$ +sudo modprobe -r <module name> " + impact 0.5 + tag severity: "medium " + tag gtitle: "SRG-OS-000481-GPOS-00481 " + tag gid: "V-252704 " + tag rid: "SV-252704r854182_rule " + tag stig_id: "UBTU-20-010455 " + tag fix_id: "F-56110r819056_fix " + tag cci: ["CCI-002418"] + tag nist: ["SC-8"] +end \ No newline at end of file diff --git a/controls/V-238196.rb b/controls/V-238196.rb deleted file mode 100644 index b152c1a..0000000 --- a/controls/V-238196.rb +++ /dev/null @@ -1,77 +0,0 @@ -# encoding: UTF-8 - -control 'V-238196' do - title "The Ubuntu operating system must provision temporary user accounts -with an expiration time of 72 hours or less." - desc "If temporary user accounts remain active when no longer needed or for -an excessive period, these accounts may be used to gain unauthorized access. To -mitigate this risk, automated termination of all temporary accounts must be set -upon account creation. - - Temporary accounts are established as part of normal account activation -procedures when there is a need for short-term accounts without the demand for -immediacy in account activation. - - If temporary accounts are used, the operating system must be configured to -automatically terminate these types of accounts after a DoD-defined time period -of 72 hours. - - To address access requirements, many operating systems may be integrated -with enterprise-level authentication/access mechanisms that meet or exceed -access control policy requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system expires temporary user accounts -within 72 hours or less. - - For every existing temporary account, run the following command to obtain -its account expiration information: - - $ sudo chage -l system_account_name | grep expires - - Password expires : Aug 07, 2019 - Account expires : Aug 07, 2019 - - Verify that each of these accounts has an expiration date set within 72 -hours of account creation. - - If any temporary account does not expire within 72 hours of that account's -creation, this is a finding. - " - desc 'fix', " - If a temporary account must be created, configure the system to terminate -the account after a 72-hour time period with the following command to set an -expiration date on it. - - Substitute \"system_account_name\" with the account to be created. - - $ sudo chage -E $(date -d \"+3 days\" +%F) system_account_name - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000002-GPOS-00002' - tag gid: 'V-238196' - tag rid: 'SV-238196r653763_rule' - tag stig_id: 'UBTU-20-010000' - tag fix_id: 'F-41365r653762_fix' - tag cci: ['CCI-000016'] - tag legacy: [] - tag nist: ['AC-2 (2)'] - - temporary_accounts = input('temporary_accounts') - - if temporary_accounts.empty? - describe 'Temporary accounts' do - subject { temporary_accounts } - it { should be_empty } - end - else - temporary_accounts.each do |acct| - describe command("chage -l #{acct} | grep 'Account expires'") do - its('stdout.strip') { should_not match /:\s*never/ } - end - end - end -end - diff --git a/controls/V-238197.rb b/controls/V-238197.rb deleted file mode 100644 index d47ec45..0000000 --- a/controls/V-238197.rb +++ /dev/null @@ -1,111 +0,0 @@ -# encoding: UTF-8 - -control 'V-238197' do - title "The Ubuntu operating system must enable the graphical user logon -banner to display the Standard Mandatory DoD Notice and Consent Banner before -granting local access to the system via a graphical user logon." - desc "Display of a standardized and approved use notification before -granting access to the Ubuntu operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - \"You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.\" - - Use the following verbiage for operating systems that have severe -limitations on the number of characters that can be displayed in the banner: - - \"I've read and consent to terms in IS user agreem't.\" - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to display the Standard -Mandatory DoD Notice and Consent Banner before granting access to the operating -system via a graphical user logon. - - Note: If the system does not have a graphical user interface installed, -this requirement is Not Applicable. - - Check that the operating banner message for the graphical user logon is -enabled with the following command: - - $ grep ^banner-message-enable /etc/gdm3/greeter.dconf-defaults - - banner-message-enable=true - - If the line is commented out or set to \"false\", this is a finding. - " - desc 'fix', " - Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. - - Look for the \"banner-message-enable\" parameter under the -\"[org/gnome/login-screen]\" section and uncomment it (remove the leading \"#\" -characters): - - Note: The lines are all near the bottom of the file but not adjacent to -each other. - - [org/gnome/login-screen] - - banner-message-enable=true - - Update the GDM with the new configuration: - - $ sudo dconf update - $ sudo systemctl restart gdm3 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000023-GPOS-00006' - tag gid: 'V-238197' - tag rid: 'SV-238197r653766_rule' - tag stig_id: 'UBTU-20-010002' - tag fix_id: 'F-41366r653765_fix' - tag cci: ['CCI-000048'] - tag legacy: [] - tag nist: ['AC-8 a'] - - xorg_status = command('which Xorg').exit_status - if xorg_status == 0 - describe 'banner-message-enable must be set to true' do - subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') } - its('stdout') { should match /(banner-message-enable).+=.+(true)/ } - end - else - describe command('which Xorg').exit_status do - skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) - end - end -end - diff --git a/controls/V-238198.rb b/controls/V-238198.rb deleted file mode 100644 index 009a26c..0000000 --- a/controls/V-238198.rb +++ /dev/null @@ -1,145 +0,0 @@ -# encoding: UTF-8 - -control 'V-238198' do - title "The Ubuntu operating system must display the Standard Mandatory DoD -Notice and Consent Banner before granting local access to the system via a -graphical user logon." - desc "Display of a standardized and approved use notification before -granting access to the Ubuntu operating system ensures privacy and security -notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - \"You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.\" - - Use the following verbiage for operating systems that have severe -limitations on the number of characters that can be displayed in the banner: - - \"I've read and consent to terms in IS user agreem't.\" - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system displays the Standard Mandatory DoD -Notice and Consent Banner before granting access to the operating system via a -graphical user logon. - - Note: If the system does not have a graphical user interface installed, -this requirement is Not Applicable. - - Verify the operating system displays the exact approved Standard Mandatory -DoD Notice and Consent Banner text with the command: - - $ grep ^banner-message-text /etc/gdm3/greeter.dconf-defaults - - banner-message-text=\"You are accessing a U.S. Government \\(USG\\) -Information System \\(IS\\) that is provided for USG-authorized use only.\\s+By -using this IS \\(which includes any device attached to this IS\\), you consent -to the following conditions:\\s+-The USG routinely intercepts and monitors -communications on this IS for purposes including, but not limited to, -penetration testing, COMSEC monitoring, network operations and defense, -personnel misconduct \\(PM\\), law enforcement \\(LE\\), and -counterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may -inspect and seize data stored on this IS.\\s+-Communications using, or data -stored on, this IS are not private, are subject to routine monitoring, -interception, and search, and may be disclosed or used for any USG-authorized -purpose.\\s+-This IS includes security measures \\(e.g., authentication and -access controls\\) to protect USG interests--not for your personal benefit or -privacy.\\s+-Notwithstanding the above, using this IS does not constitute -consent to PM, LE or CI investigative searching or monitoring of the content of -privileged communications, or work product, related to personal representation -or services by attorneys, psychotherapists, or clergy, and their assistants. -Such communications and work product are private and confidential. See User -Agreement for details.\" - - If the banner-message-text is missing, commented out, or does not match the -Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. - " - desc 'fix', " - Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. - - Set the \"banner-message-text\" line to contain the appropriate banner -message text as shown below: - - banner-message-text='You are accessing a U.S. Government (USG) Information -System (IS) that is provided for USG-authorized use only.\ - \ - By using this IS (which includes any device attached to this IS), you -consent to the following conditions:\ - \ - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations.\ - \ - -At any time, the USG may inspect and seize data stored on this IS.\ - \ - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose.\ - \ - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy.\ - \ - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.' - - Update the GDM with the new configuration: - - $ sudo dconf update - $ sudo systemctl restart gdm3 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000023-GPOS-00006' - tag gid: 'V-238198' - tag rid: 'SV-238198r653769_rule' - tag stig_id: 'UBTU-20-010003' - tag fix_id: 'F-41367r653768_fix' - tag cci: ['CCI-000048'] - tag legacy: [] - tag nist: ['AC-8 a'] - #TOODO -# banner_text = input('banner_text') -# clean_banner = banner_text.gsub(/[\r\n\s]/, '') -# gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults" -# describe 'The SSHD Banner is set to the standard banner and has the correct text' do -# subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} -# it { should cmp clean_banner } -# end -end - diff --git a/controls/V-238199.rb b/controls/V-238199.rb deleted file mode 100644 index 2ee1863..0000000 --- a/controls/V-238199.rb +++ /dev/null @@ -1,73 +0,0 @@ -# encoding: UTF-8 - -control 'V-238199' do - title "The Ubuntu operating system must retain a user's session lock until -that user reestablishes access using established identification and -authentication procedures." - desc "A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. - - Regardless of where the session lock is determined and implemented, once -invoked, a session lock of the Ubuntu operating system must remain in place -until the user reauthenticates. No other activity aside from reauthentication -must unlock the system. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operation system has a graphical user interface session -lock enabled. - - Note: If the Ubuntu operating system does not have a graphical user -interface installed, this requirement is Not Applicable. - - Get the \"lock-enabled\" setting to verify the graphical user interface -session has the lock enabled with the following command: - - $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled - - true - - If \"lock-enabled\" is not set to \"true\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to allow a user to lock the current -graphical user interface session. - - Note: If the Ubuntu operating system does not have a graphical user -interface installed, this requirement is Not Applicable. - - Set the \"lock-enabled\" setting to allow graphical user interface session -locks with the following command: - - $ sudo gsettings set org.gnome.desktop.screensaver lock-enabled true - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000028-GPOS-00009' - tag satisfies: ['SRG-OS-000028-GPOS-00009', 'SRG-OS-000029-GPOS-00010'] - tag gid: 'V-238199' - tag rid: 'SV-238199r653772_rule' - tag stig_id: 'UBTU-20-010004' - tag fix_id: 'F-41368r653771_fix' - tag cci: ['CCI-000056', 'CCI-000057'] - tag legacy: [] - tag nist: ['AC-11 b', 'AC-11 a'] - - xorg_status = command('which Xorg').exit_status - if xorg_status == 0 - describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do - its('stdout') { should cmp 'true'} - end - else - describe command('which Xorg').exit_status do - skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) - end - end -end - diff --git a/controls/V-238200.rb b/controls/V-238200.rb deleted file mode 100644 index 553a56a..0000000 --- a/controls/V-238200.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238200' do - title "The Ubuntu operating system must allow users to directly initiate a -session lock for all connection types." - desc "A session lock is a temporary action taken when a user stops work and -moves away from the immediate physical vicinity of the information system but -does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be -determined. Rather than be forced to wait for a period of time to expire before -the user session can be locked, the Ubuntu operating systems need to provide -users with the ability to manually invoke a session lock so users may secure -their session if they need to temporarily vacate the immediate physical -vicinity. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system has the \"vlock\" package installed by -running the following command: - - $ dpkg -l | grep vlock - - If \"vlock\" is not installed, this is a finding. - " - desc 'fix', " - Install the \"vlock\" package (if it is not already installed) by running -the following command: - - $ sudo apt-get install vlock - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000030-GPOS-00011' - tag satisfies: ['SRG-OS-000030-GPOS-00011', 'SRG-OS-000031-GPOS-00012'] - tag gid: 'V-238200' - tag rid: 'SV-238200r653775_rule' - tag stig_id: 'UBTU-20-010005' - tag fix_id: 'F-41369r653774_fix' - tag cci: ['CCI-000058', 'CCI-000060'] - tag legacy: [] - tag nist: ['AC-11 a', 'AC-11 (1)'] - - describe package('vlock') do - it { should be_installed } - end -end - diff --git a/controls/V-238201.rb b/controls/V-238201.rb deleted file mode 100644 index 1dbe721..0000000 --- a/controls/V-238201.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control 'V-238201' do - title "The Ubuntu operating system must map the authenticated identity to the -user or group account for PKI-based authentication." - desc "Without mapping the certificate used to authenticate to the user -account, the ability to determine the identity of the individual user or group -will not be available for forensic analysis." - desc 'rationale', '' - desc 'check', " - Verify that \"use_mappers\" is set to \"pwent\" in -\"/etc/pam_pkcs11/pam_pkcs11.conf\" file: - - $ grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf - use_mappers = pwent - - If \"use_mappers\" is not found or the list does not contain \"pwent\" this -is a finding. - " - desc 'fix', " - Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if -there is already a comma-separated list of mappers, add it to the list, -separated by comma, and before the null mapper. - - If the system is missing an \"/etc/pam_pkcs11/\" directory and an -\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and -modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000068-GPOS-00036' - tag gid: 'V-238201' - tag rid: 'SV-238201r653778_rule' - tag stig_id: 'UBTU-20-010006' - tag fix_id: 'F-41370r653777_fix' - tag cci: ['CCI-000187'] - tag legacy: [] - tag nist: ['IA-5 (2) (c)'] - - config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('use_mappers') { should cmp 'pwent' } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238202.rb b/controls/V-238202.rb deleted file mode 100644 index 8392eae..0000000 --- a/controls/V-238202.rb +++ /dev/null @@ -1,47 +0,0 @@ -# encoding: UTF-8 - -control 'V-238202' do - title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum -password lifetime. Passwords for new users must have a 24 hours/1 day minimum -password lifetime restriction." - desc "Enforcing a minimum password lifetime helps to prevent repeated -password changes to defeat the password reuse or history enforcement -requirement. If users are allowed to immediately and continually change their -password, then the password could be repeatedly changed in a short period of -time to defeat the organization's policy regarding password reuse." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces a 24 hours/1 day minimum -password lifetime for new user accounts by running the following command: - - $ grep -i ^pass_min_days /etc/login.defs - - PASS_MIN_DAYS 1 - - If the \"PASS_MIN_DAYS\" parameter value is less than \"1\" or is commented -out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum -password lifetime. - - Add or modify the following line in the \"/etc/login.defs\" file: - - PASS_MIN_DAYS 1 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000075-GPOS-00043' - tag gid: 'V-238202' - tag rid: 'SV-238202r653781_rule' - tag stig_id: 'UBTU-20-010007' - tag fix_id: 'F-41371r653780_fix' - tag cci: ['CCI-000198'] - tag legacy: [] - tag nist: ['IA-5 (1) (d)'] - - describe login_defs do - its('PASS_MIN_DAYS') { should >= '1' } - end -end - diff --git a/controls/V-238203.rb b/controls/V-238203.rb deleted file mode 100644 index 695d98d..0000000 --- a/controls/V-238203.rb +++ /dev/null @@ -1,46 +0,0 @@ -# encoding: UTF-8 - -control 'V-238203' do - title "The Ubuntu operating system must enforce a 60-day maximum password -lifetime restriction. Passwords for new users must have a 60-day maximum -password lifetime restriction." - desc "Any password, no matter how complex, can eventually be cracked. -Therefore, passwords need to be changed periodically. If the operating system -does not limit the lifetime of passwords and force users to change their -passwords, there is the risk that the operating system passwords could be -compromised." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces a 60-day maximum password -lifetime for new user accounts by running the following command: - - $ grep -i ^pass_max_days /etc/login.defs - PASS_MAX_DAYS 60 - - If the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is -commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce a 60-day maximum password -lifetime. - - Add or modify the following line in the \"/etc/login.defs\" file: - - PASS_MAX_DAYS 60 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000076-GPOS-00044' - tag gid: 'V-238203' - tag rid: 'SV-238203r653784_rule' - tag stig_id: 'UBTU-20-010008' - tag fix_id: 'F-41372r653783_fix' - tag cci: ['CCI-000199'] - tag legacy: [] - tag nist: ['IA-5 (1) (d)'] - - describe login_defs do - its('PASS_MAX_DAYS') { should cmp <= 60 } - end -end - diff --git a/controls/V-238204.rb b/controls/V-238204.rb deleted file mode 100644 index 0953200..0000000 --- a/controls/V-238204.rb +++ /dev/null @@ -1,79 +0,0 @@ -# encoding: UTF-8 - -control 'V-238204' do - title "Ubuntu operating systems when booted must require authentication upon -booting into single-user and maintenance modes." - desc "To mitigate the risk of unauthorized access to sensitive information -by entities that have been issued certificates by DoD-approved PKIs, all DoD -systems (e.g., web servers and web portals) must be properly configured to -incorporate access control methods that do not rely solely on the possession of -a certificate for access. - - Successful authentication must not automatically give an entity access to -an asset or security boundary. Authorization procedures and controls must be -implemented to ensure each authenticated entity also has a validated and -current authorization. Authorization is the process of determining whether an -entity, once authenticated, is permitted to access a specific asset. -Information systems use access control policies and enforcement mechanisms to -implement this requirement. - - Access control policies include identity-based policies, role-based -policies, and attribute-based policies. Access enforcement mechanisms include -access control lists, access control matrices, and cryptography. These policies -and mechanisms must be employed by the application to control access between -users (or processes acting on behalf of users) and objects (e.g., devices, -files, records, processes, programs, and domains) in the information system. - " - desc 'rationale', '' - desc 'check', " - Run the following command to verify the encrypted password is set: - - $ grep -i password /boot/grub/grub.cfg - - password_pbkdf2 root -grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG - - If the root password entry does not begin with \"password_pbkdf2\", this is -a finding. - " - desc 'fix', " - Configure the system to require a password for authentication upon booting -into single-user and maintenance modes. - - Generate an encrypted (grub) password for root with the following command: - - $ grub-mkpasswd-pbkdf2 - Enter Password: - Reenter Password: - PBKDF2 hash of your password is -grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG - - Using the hash from the output, modify the \"/etc/grub.d/40_custom\" file -with the following command to add a boot password: - - $ sudo sed -i '$i set superusers=\\\"root\\\"\ - password_pbkdf2 root ' /etc/grub.d/40_custom - - where is the hash generated by grub-mkpasswd-pbdkf2 command. - - Generate an updated \"grub.conf\" file with the new password by using the -following command: - - $ sudo update-grub - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000080-GPOS-00048' - tag gid: 'V-238204' - tag rid: 'SV-238204r653787_rule' - tag stig_id: 'UBTU-20-010009' - tag fix_id: 'F-41373r653786_fix' - tag cci: ['CCI-000213'] - tag legacy: [] - tag nist: ['AC-3'] - - describe file('/boot/grub/grub.cfg') do - its('content') { should match '^password_pbkdf2' } - end -end - diff --git a/controls/V-238205.rb b/controls/V-238205.rb deleted file mode 100644 index 84437ac..0000000 --- a/controls/V-238205.rb +++ /dev/null @@ -1,60 +0,0 @@ -# encoding: UTF-8 - -control 'V-238205' do - title 'The Ubuntu operating system must uniquely identify interactive users.' - desc "To assure accountability and prevent unauthenticated access, -organizational users must be identified and authenticated to prevent potential -misuse and compromise of the system. - - Organizational users include organizational employees or individuals the -organization deems to have equivalent status of employees (e.g., contractors). -Organizational users (and processes acting on behalf of users) must be uniquely -identified and authenticated to all accesses, except for the following: - - 1) Accesses explicitly identified and documented by the organization. -Organizations document specific user actions that can be performed on the -information system without identification or authentication; and - - 2) Accesses that occur through authorized use of group authenticators -without individual authentication. Organizations may require unique -identification of individuals in group accounts (e.g., shared privilege -accounts) or for detailed accountability of individual activity. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) -for interactive users with the following command: - - $ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd - - If output is produced and the accounts listed are interactive user -accounts, this is a finding. - " - desc 'fix', "Edit the file \"/etc/passwd\" and provide each interactive user -account that has a duplicate UID with a unique UID." - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000104-GPOS-00051' - tag satisfies: ['SRG-OS-000104-GPOS-00051', 'SRG-OS-000121-GPOS-00062'] - tag gid: 'V-238205' - tag rid: 'SV-238205r653790_rule' - tag stig_id: 'UBTU-20-010010' - tag fix_id: 'F-41374r653789_fix' - tag cci: ['CCI-000764', 'CCI-000804'] - tag legacy: [] - tag nist: ['IA-2', 'IA-8'] - - user_list = command("awk -F \":\" 'list[$3]++{print $1}' /etc/passwd").stdout.split("\n") - findings = Set[] - - user_list.each do |user_name| - findings = findings << user_name - end - describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do - subject { findings.to_a } - it { should be_empty } - end -end - diff --git a/controls/V-238206.rb b/controls/V-238206.rb deleted file mode 100644 index 0c7fa91..0000000 --- a/controls/V-238206.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238206' do - title "The Ubuntu operating system must ensure only users who need access to -security functions are part of sudo group." - desc "An isolation boundary provides access control and protects the -integrity of the hardware, software, and firmware that perform security -functions. - - Security functions are the hardware, software, and/or firmware of the -information system responsible for enforcing the system security policy and -supporting the isolation of code and data on which the protection is based. -Operating systems implement code separation (i.e., separation of security -functions from nonsecurity functions) in a number of ways, including through -the provision of security kernels via processor rings or processor modes. For -non-kernel code, security function isolation is often achieved through file -system protections that serve to protect the code on disk and address space -protections that protect executing code. - - Developers and implementers can increase the assurance in security -functions by employing well-defined security policy models; structured, -disciplined, and rigorous hardware and software development techniques; and -sound system/security engineering principles. Implementation may include -isolation of memory space and libraries. - - The Ubuntu operating system restricts access to security functions through -the use of access control mechanisms and by implementing least privilege -capabilities. - " - desc 'rationale', '' - desc 'check', " - Verify the sudo group has only members who should have access to security -functions. - - $ grep sudo /etc/group - - sudo:x:27:foo - - If the sudo group contains users not needing access to security functions, -this is a finding. - " - desc 'fix', " - Configure the sudo group with only members requiring access to security -functions. - - To remove a user from the sudo group, run: - - $ sudo gpasswd -d sudo - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000134-GPOS-00068' - tag gid: 'V-238206' - tag rid: 'SV-238206r653793_rule' - tag stig_id: 'UBTU-20-010012' - tag fix_id: 'F-41375r653792_fix' - tag cci: ['CCI-001084'] - tag legacy: [] - tag nist: ['SC-3'] - - sudo_accounts = input('sudo_accounts') - - if sudo_accounts.count > 0 - sudo_accounts.each do |account| - describe group('sudo') do - its('members') { should include account } - end - end - else - describe.one do - describe group('sudo') do - its('members') { should be_nil } - end - describe group('sudo') do - its('members') { should be_empty } - end - end - end -end - diff --git a/controls/V-238207.rb b/controls/V-238207.rb deleted file mode 100644 index e9f184a..0000000 --- a/controls/V-238207.rb +++ /dev/null @@ -1,84 +0,0 @@ -# encoding: UTF-8 - -control 'V-238207' do - title "The Ubuntu operating system must automatically terminate a user -session after inactivity timeouts have expired." - desc "Automatic session termination addresses the termination of -user-initiated logical sessions in contrast to the termination of network -connections that are associated with communications sessions (i.e., network -disconnect). A logical session (for local, network, and remote access) is -initiated whenever a user (or process acting on behalf of a user) accesses an -organizational information system. Such user sessions can be terminated (and -thus terminate user access) without terminating network sessions. - - Session termination terminates all processes associated with a user's -logical session except those processes that are specifically created by the -user (i.e., session owner) to continue after the session is terminated. - - Conditions or trigger events requiring automatic session termination can -include, for example, organization-defined periods of user inactivity, targeted -responses to certain types of incidents, and time-of-day restrictions on -information system use. - - This capability is typically reserved for specific operating system -functionality where the system owner, data owner, or organization requires -additional assurance. - " - desc 'rationale', '' - desc 'check', " - Verify the operating system automatically terminates a user session after -inactivity timeouts have expired. - - Check that \"TMOUT\" environment variable is set in the -\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" -directory by performing the following command: - - $ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc /etc/profile.d/* - - TMOUT=600 - - If \"TMOUT\" is not set, or if the value is \"0\" or is commented out, this -is a finding. - " - desc 'fix', " - Configure the operating system to automatically terminate a user session -after inactivity timeouts have expired or at shutdown. - - Create the file \"/etc/profile.d/99-terminal_tmout.sh\" file if it does not -exist. - - Modify or append the following line in the -\"/etc/profile.d/99-terminal_tmout.sh \" file: - - TMOUT=600 - - This will set a timeout value of 10 minutes for all future sessions. - - To set the timeout for the current sessions, execute the following command -over the terminal session: - - $ export TMOUT=600 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000279-GPOS-00109' - tag gid: 'V-238207' - tag rid: 'SV-238207r653796_rule' - tag stig_id: 'UBTU-20-010013' - tag fix_id: 'F-41376r653795_fix' - tag cci: ['CCI-002361'] - tag legacy: [] - tag nist: ['AC-12'] - - profile_files=command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries - timeout=input("tmout").to_s - - describe.one do - profile_files.each do |pf| - describe file(pf.strip) do - its('content') { should match "^TMOUT=#{timeout}$" } - end - end - end -end - diff --git a/controls/V-238208.rb b/controls/V-238208.rb deleted file mode 100644 index ac3bcf8..0000000 --- a/controls/V-238208.rb +++ /dev/null @@ -1,42 +0,0 @@ -# encoding: UTF-8 - -control 'V-238208' do - title "The Ubuntu operating system must require users to reauthenticate for -privilege escalation or when changing roles." - desc "Without reauthentication, users may access resources or perform tasks -for which they do not have authorization. - - When operating systems provide the capability to escalate a functional -capability, it is critical the user reauthenticate. - - - " - desc 'rationale', '' - desc 'check', " - Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or -\"!authenticate\" by running the following command: - - $ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/* - - If any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the -command, this is a finding. - " - desc 'fix', "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" -found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory." - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000373-GPOS-00156' - tag satisfies: ['SRG-OS-000373-GPOS-00156', 'SRG-OS-000373-GPOS-00157'] - tag gid: 'V-238208' - tag rid: 'SV-238208r653799_rule' - tag stig_id: 'UBTU-20-010014' - tag fix_id: 'F-41377r653798_fix' - tag cci: ['CCI-002038'] - tag legacy: [] - tag nist: ['IA-11'] - - describe command("egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers") do - its('stdout.strip') { should be_empty } - end -end - diff --git a/controls/V-238209.rb b/controls/V-238209.rb deleted file mode 100644 index d8a9027..0000000 --- a/controls/V-238209.rb +++ /dev/null @@ -1,53 +0,0 @@ -# encoding: UTF-8 - -control 'V-238209' do - title "The Ubuntu operating system default filesystem permissions must be -defined in such a way that all authenticated users can read and modify only -their own files." - desc "Setting the most restrictive default permissions ensures that when new -accounts are created they do not have unnecessary access." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system defines default permissions for all -authenticated users in such a way that the user can read and modify only their -own files. - - Verify the Ubuntu operating system defines default permissions for all -authenticated users with the following command: - - $ grep -i \"umask\" /etc/login.defs - - UMASK 077 - - If the \"UMASK\" variable is set to \"000\", this is a finding with the -severity raised to a CAT I. - - If the value of \"UMASK\" is not set to \"077\", is commented out, or is -missing completely, this is a finding. - " - desc 'fix', " - Configure the system to define the default permissions for all -authenticated users in such a way that the user can read and modify only their -own files. - - Edit the \"UMASK\" parameter in the \"/etc/login.defs\" file to match the -example below: - - UMASK 077 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00228' - tag gid: 'V-238209' - tag rid: 'SV-238209r653802_rule' - tag stig_id: 'UBTU-20-010016' - tag fix_id: 'F-41378r653801_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe login_defs do - its('UMASK') { should eq '077' } - end -end - diff --git a/controls/V-238210.rb b/controls/V-238210.rb deleted file mode 100644 index dc9c6b2..0000000 --- a/controls/V-238210.rb +++ /dev/null @@ -1,84 +0,0 @@ -# encoding: UTF-8 - -control 'V-238210' do - title "The Ubuntu operating system must implement smart card logins for -multifactor authentication for local and network access to privileged and -non-privileged accounts." - desc "Without the use of multifactor authentication, the ease of access to -privileged functions is greatly increased. - - Multifactor authentication requires using two or more factors to achieve -authentication. - - Factors include: - 1) something a user knows (e.g., password/PIN); - 2) something a user has (e.g., cryptographic identification device, token); -and - 3) something a user is (e.g., biometric). - - A privileged account is defined as an information system account with -authorizations of a privileged user. - - Network access is defined as access to an information system by a user (or -a process acting on behalf of a user) communicating through a network (e.g., -local area network, wide area network, or the internet). - - The DoD CAC with DoD-approved PKI is an example of multifactor -authentication. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system has the packages required for -multifactor authentication installed with the following commands: - - $ dpkg -l | grep libpam-pkcs11 - - ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for -using PKCS#11 smart cards - - If the \"libpam-pkcs11\" package is not installed, this is a finding. - - Verify the sshd daemon allows public key authentication with the following, - - $ grep ^Pubkeyauthentication /etc/ssh/sshd_config - - PubkeyAuthentication yes - - If this option is set to \"no\" or is missing, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to use multifactor authentication for -network access to accounts. - - Add or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the -following line: - - auth [success=2 default=ignore] pam_pkcs11.so - - Set the sshd option \"PubkeyAuthentication yes\" in the -\"/etc/ssh/sshd_config\" file. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000105-GPOS-00052' - tag satisfies: ['SRG-OS-000105-GPOS-00052', 'SRG-OS-000106-GPOS-00053', -'SRG-OS-000107-GPOS-00054', 'SRG-OS-000108-GPOS-00055'] - tag gid: 'V-238210' - tag rid: 'SV-238210r653805_rule' - tag stig_id: 'UBTU-20-010033' - tag fix_id: 'F-41379r653804_fix' - tag cci: ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768'] - tag legacy: [] - tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] - - describe package('libpam-pkcs11') do - it { should be_installed } - end - - describe sshd_config do - its('PubkeyAuthentication') { should cmp 'yes' } - end -end - diff --git a/controls/V-238211.rb b/controls/V-238211.rb deleted file mode 100644 index dd4fa54..0000000 --- a/controls/V-238211.rb +++ /dev/null @@ -1,53 +0,0 @@ -# encoding: UTF-8 - -control 'V-238211' do - title "The Ubuntu operating system must use strong authenticators in -establishing nonlocal maintenance and diagnostic sessions." - desc "Nonlocal maintenance and diagnostic activities are those activities -conducted by individuals communicating through a network, either an external -network (e.g., the internet) or an internal network. Local maintenance and -diagnostic activities are those activities carried out by individuals -physically present at the information system or information system component -and not communicating across a network connection. Typically, strong -authentication requires authenticators that are resistant to replay attacks and -employ multifactor authentication. Strong authenticators include, for example, -PKI where certificates are stored on a token protected by a password, -passphrase, or biometric." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to use strong -authenticators in the establishment of nonlocal maintenance and diagnostic -maintenance. - - Verify that \"UsePAM\" is set to \"yes\" in \"/etc/ssh/sshd_config: - - $ grep ^UsePAM /etc/ssh/sshd_config - - UsePAM yes - - If \"UsePAM\" is not set to \"yes\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to use strong authentication when -establishing nonlocal maintenance and diagnostic sessions. - - Add or modify the following line to /etc/ssh/sshd_config: - - UsePAM yes - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000125-GPOS-00065' - tag gid: 'V-238211' - tag rid: 'SV-238211r653808_rule' - tag stig_id: 'UBTU-20-010035' - tag fix_id: 'F-41380r653807_fix' - tag cci: ['CCI-000877'] - tag legacy: [] - tag nist: ['MA-4 c'] - - describe sshd_config do - its('UsePAM') { should cmp 'yes' } - end -end - diff --git a/controls/V-238212.rb b/controls/V-238212.rb deleted file mode 100644 index ebaf087..0000000 --- a/controls/V-238212.rb +++ /dev/null @@ -1,70 +0,0 @@ -# encoding: UTF-8 - -control 'V-238212' do - title "The Ubuntu operating system must immediately terminate all network -connections associated with SSH traffic after a period of inactivity." - desc "Automatic session termination addresses the termination of -user-initiated logical sessions in contrast to the termination of network -connections that are associated with communications sessions (i.e., network -disconnect). A logical session (for local, network, and remote access) is -initiated whenever a user (or process acting on behalf of a user) accesses an -organizational information system. Such user sessions can be terminated (and -thus terminate user access) without terminating network sessions. - - Session termination terminates all processes associated with a user's -logical session except those processes that are specifically created by the -user (i.e., session owner) to continue after the session is terminated. - - Conditions or trigger events requiring automatic session termination can -include, for example, organization-defined periods of user inactivity, targeted -responses to certain types of incidents, and time-of-day restrictions on -information system use. - - This capability is typically reserved for specific Ubuntu operating system -functionality where the system owner, data owner, or organization requires -additional assurance. - " - desc 'rationale', '' - desc 'check', " - Verify that all network connections associated with SSH traffic -automatically terminate after a period of inactivity. - - Verify the \"ClientAliveCountMax\" variable is set in the -\"/etc/ssh/sshd_config\" file by performing the following command: - - $ sudo grep -i clientalivecountmax /etc/ssh/sshd_config - - ClientAliveCountMax 1 - - If \"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented -out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to automatically terminate inactive -SSH sessions after a period of inactivity. - - Modify or append the following line in the \"/etc/ssh/sshd_config\" file, -replacing \"[Count]\" with a value of 1: - - ClientAliveCountMax 1 - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000126-GPOS-00066' - tag gid: 'V-238212' - tag rid: 'SV-238212r653811_rule' - tag stig_id: 'UBTU-20-010036' - tag fix_id: 'F-41381r653810_fix' - tag cci: ['CCI-000879'] - tag legacy: [] - tag nist: ['MA-4 e'] - - describe sshd_config do - its('ClientAliveCountMax') { should cmp 1 } - end -end - diff --git a/controls/V-238213.rb b/controls/V-238213.rb deleted file mode 100644 index 44548a4..0000000 --- a/controls/V-238213.rb +++ /dev/null @@ -1,66 +0,0 @@ -# encoding: UTF-8 - -control 'V-238213' do - title "The Ubuntu operating system must immediately terminate all network -connections associated with SSH traffic at the end of the session or after 10 -minutes of inactivity." - desc "Terminating an idle session within a short time period reduces the -window of opportunity for unauthorized personnel to take control of a -management session enabled on the console or console port that has been left -unattended. In addition, quickly terminating an idle session will also free up -resources committed by the managed network element. - - Terminating network connections associated with communications sessions -includes, for example, de-allocating associated TCP/IP address/port pairs at -the operating system level, and de-allocating networking assignments at the -application level if multiple application sessions are using a single operating -system-level network connection. This does not mean that the operating system -terminates all sessions or network access; it only ends the inactive session -and releases the resources associated with that session. - " - desc 'rationale', '' - desc 'check', " - Verify that all network connections associated with SSH traffic are -automatically terminated at the end of the session or after 10 minutes of -inactivity. - - Verify the \"ClientAliveInterval\" variable is set to a value of \"600\" or -less by performing the following command: - - $ sudo grep -i clientalive /etc/ssh/sshd_config - - ClientAliveInterval 600 - - If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" -or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to automatically terminate all -network connections associated with SSH traffic at the end of a session or -after a 10-minute period of inactivity. - - Modify or append the following line in the \"/etc/ssh/sshd_config\" file -replacing \"[Interval]\" with a value of \"600\" or less: - - ClientAliveInterval 600 - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000163-GPOS-00072' - tag gid: 'V-238213' - tag rid: 'SV-238213r653814_rule' - tag stig_id: 'UBTU-20-010037' - tag fix_id: 'F-41382r653813_fix' - tag cci: ['CCI-001133'] - tag legacy: [] - tag nist: ['SC-10'] - - describe sshd_config do - its('ClientAliveInterval') { should cmp 600 } - end -end - diff --git a/controls/V-238214.rb b/controls/V-238214.rb deleted file mode 100644 index c4d4f33..0000000 --- a/controls/V-238214.rb +++ /dev/null @@ -1,190 +0,0 @@ -# encoding: UTF-8 - -control 'V-238214' do - title "The Ubuntu operating system must display the Standard Mandatory DoD -Notice and Consent Banner before granting any local or remote connection to the -system." - desc "Display of a standardized and approved use notification before -granting access to the publicly accessible operating system ensures privacy and -security notification verbiage used is consistent with applicable federal laws, -Executive Orders, directives, policies, regulations, standards, and guidance. - - System use notifications are required only for access via logon interfaces -with human users and are not required when such human interfaces do not exist. - - The banner must be formatted in accordance with applicable DoD policy. Use -the following verbiage for operating systems that can accommodate banners of -1300 characters: - - \"You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.\" - - Use the following verbiage for operating systems that have severe -limitations on the number of characters that can be displayed in the banner: - - \"I've read and consent to terms in IS user agreem't.\" - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system displays the Standard Mandatory DoD -Notice and Consent Banner before granting access to the Ubuntu operating system -via an SSH logon with the following command: - - $ grep -i banner /etc/ssh/sshd_config - - Banner /etc/issue.net - - The command will return the banner option along with the name of the file -that contains the SSH banner. If the line is commented out, this is a finding. - - Verify the specified banner file matches the Standard Mandatory DoD Notice -and Consent Banner exactly: - - $ cat /etc/issue.net - - \"You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.\" - - If the banner text does not match the Standard Mandatory DoD Notice and -Consent Banner exactly, this is a finding. - " - desc 'fix', " - Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the -\"/etc/issue.net\" file: - - $ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config - $ sudo sed -i '$aBanner /etc/issue.net' /etc/ssh/sshd_config - - Either create the file containing the banner or replace the text in the -file with the Standard Mandatory DoD Notice and Consent Banner. The DoD -required text is: - - \"You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. - - By using this IS (which includes any device attached to this IS), you -consent to the following conditions: - - -The USG routinely intercepts and monitors communications on this IS for -purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct (PM), law enforcement -(LE), and counterintelligence (CI) investigations. - - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are -subject to routine monitoring, interception, and search, and may be disclosed -or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access -controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to -PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services -by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User -Agreement for details.\" - - Restart the SSH daemon for the changes to take effect and then signal the -SSH server to reload the configuration file: - - $ sudo systemctl -s SIGHUP kill sshd - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000228-GPOS-00088' - tag satisfies: ['SRG-OS-000228-GPOS-00088', 'SRG-OS-000023-GPOS-00006'] - tag gid: 'V-238214' - tag rid: 'SV-238214r653817_rule' - tag stig_id: 'UBTU-20-010038' - tag fix_id: 'F-41383r653816_fix' - tag cci: ['CCI-000048', 'CCI-001384', 'CCI-001385', 'CCI-001386', -'CCI-001387', 'CCI-001388'] - tag legacy: [] - tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', "AC-8 c -3"] - banner_text = input('banner_text') - banner_files = [sshd_config.banner].flatten - - banner_files.each do |banner_file| - if banner_file.nil? - describe 'The SSHD Banner is not set' do - subject { banner_file.nil? } - it { should be false } - end - end - if !banner_file.nil? && !banner_file.match(/none/i).nil? - describe 'The SSHD Banner is disabled' do - subject { banner_file.match(/none/i).nil? } - it { should be true } - end - end - if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist? - describe 'The SSHD Banner is set, but, the file does not exist' do - subject { file(banner_file).exist? } - it { should be true } - end - end - next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist? - - describe 'The SSHD Banner is set to the standard banner and has the correct text' do - clean_banner = banner_text.gsub(/[\r\n\s]/, '') - subject { file(banner_file).content.gsub(/[\r\n\s]/, '') } - it { should cmp clean_banner } - end - end - - -end - diff --git a/controls/V-238215.rb b/controls/V-238215.rb deleted file mode 100644 index fac0895..0000000 --- a/controls/V-238215.rb +++ /dev/null @@ -1,96 +0,0 @@ -# encoding: UTF-8 - -control 'V-238215' do - title "The Ubuntu operating system must use SSH to protect the -confidentiality and integrity of transmitted information." - desc "Without protection of the transmitted information, confidentiality and -integrity may be compromised because unprotected communications can be -intercepted and either read or altered. - - This requirement applies to both internal and external networks and all -types of information system components from which information can be -transmitted (e.g., servers, mobile devices, notebook computers, printers, -copiers, scanners, and facsimile machines). Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of -interception and modification. - - Protecting the confidentiality and integrity of organizational information -can be accomplished by physical means (e.g., employing physical distribution -systems) or by logical means (e.g., employing cryptographic techniques). If -physical means of protection are employed, then logical means (cryptography) do -not have to be employed, and vice versa. - - - " - desc 'rationale', '' - desc 'check', " - Verify the SSH package is installed with the following command: - - $ sudo dpkg -l | grep openssh - ii openssh-client 1:7.6p1-4ubuntu0.1 - amd64 secure shell (SSH) client, for secure access to remote machines - ii openssh-server 1:7.6p1-4ubuntu0.1 - amd64 secure shell (SSH) server, for secure access from remote machines - ii openssh-sftp-server 1:7.6p1-4ubuntu0.1 - amd64 secure shell (SSH) sftp server module, for SFTP access from -remote machines - - If the \"openssh\" server package is not installed, this is a finding. - - Verify the \"sshd.service\" is loaded and active with the following -command: - - $ sudo systemctl status sshd.service | egrep -i \"(active|loaded)\" - Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: -enabled) - Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 weeks 3 -days ago - - If \"sshd.service\" is not active or loaded, this is a finding. - " - desc 'fix', " - Install the \"ssh\" meta-package on the system with the following command: - - $ sudo apt install ssh - - Enable the \"ssh\" service to start automatically on reboot with the -following command: - - $ sudo systemctl enable sshd.service - - ensure the \"ssh\" service is running - - $ sudo systemctl start sshd.service - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000423-GPOS-00187' - tag satisfies: ['SRG-OS-000423-GPOS-00187', 'SRG-OS-000425-GPOS-00189', -'SRG-OS-000426-GPOS-00190'] - tag gid: 'V-238215' - tag rid: 'SV-238215r653820_rule' - tag stig_id: 'UBTU-20-010042' - tag fix_id: 'F-41384r653819_fix' - tag cci: ['CCI-002418', 'CCI-002420', 'CCI-002422'] - tag legacy: [] - tag nist: ['SC-8', 'SC-8 (2)', 'SC-8 (2)'] - - describe package('openssh-client') do - it { should be_installed } - end - - describe package('openssh-server') do - it { should be_installed } - end - - describe package('openssh-sftp-server') do - it { should be_installed } - end - - describe service('sshd') do - it { should be_enabled } - it { should be_installed } - it { should be_running } - end -end - diff --git a/controls/V-238216.rb b/controls/V-238216.rb deleted file mode 100644 index 3313708..0000000 --- a/controls/V-238216.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238216' do - title "The Ubuntu operating system must configure the SSH daemon to use -Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic -hashes to prevent the unauthorized disclosure of information and/or detect -changes to information during transmission." - desc "Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. Nonlocal maintenance and -diagnostic activities are those activities conducted by individuals -communicating through a network, either an external network (e.g., the -internet) or an internal network. - - Local maintenance and diagnostic activities are those activities carried -out by individuals physically present at the information system or information -system component and not communicating across a network connection. - - Encrypting information for transmission protects information from -unauthorized disclosure and modification. Cryptographic mechanisms implemented -to protect information integrity include, for example, cryptographic hash -functions which have common application in digital signatures, checksums, and -message authentication codes. - - - " - desc 'rationale', '' - desc 'check', " - Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 -approved ciphers with the following command: - - $ grep -i macs /etc/ssh/sshd_config - - MACs hmac-sha2-512,hmac-sha2-256 - - If any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\" are -listed, the order differs from the example above, or the returned line is -commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to allow the SSH daemon to only use -MACs that employ FIPS 140-2 approved ciphers. - - Add the following line (or modify the line to have the required value) to -the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in -a different location if using a version of SSH that is provided by a -third-party vendor): - - MACs hmac-sha2-512,hmac-sha2-256 - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl reload sshd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000424-GPOS-00188' - tag satisfies: ['SRG-OS-000424-GPOS-00188', 'SRG-OS-000250-GPOS-00093', -'SRG-OS-000393-GPOS-00173'] - tag gid: 'V-238216' - tag rid: 'SV-238216r654316_rule' - tag stig_id: 'UBTU-20-010043' - tag fix_id: 'F-41385r653822_fix' - tag cci: ['CCI-001453', 'CCI-002421', 'CCI-002890'] - tag legacy: [] - tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - - @macs_array = inspec.sshd_config.params['macs'] - - @macs_array = @macs_array.first.split(',') unless @macs_array.nil? - - describe @macs_array do - it { should be_in %w[hmac-sha2-256 hmac-sha2-512] } - end -end - diff --git a/controls/V-238217.rb b/controls/V-238217.rb deleted file mode 100644 index b6f5579..0000000 --- a/controls/V-238217.rb +++ /dev/null @@ -1,84 +0,0 @@ -# encoding: UTF-8 - -control 'V-238217' do - title "The Ubuntu operating system must configure the SSH daemon to use FIPS -140-2 approved ciphers to prevent the unauthorized disclosure of information -and/or detect changes to information during transmission." - desc "Without cryptographic integrity protections, information can be -altered by unauthorized users without detection. - - Remote access (e.g., RDP) is access to DoD nonpublic information systems by -an authorized user (or an information system) communicating through an -external, non-organization-controlled network. Remote access methods include, -for example, dial-up, broadband, and wireless. - - Nonlocal maintenance and diagnostic activities are those activities -conducted by individuals communicating through a network, either an external -network (e.g., the internet) or an internal network. - - Local maintenance and diagnostic activities are those activities carried -out by individuals physically present at the information system or information -system component and not communicating across a network connection. - - Encrypting information for transmission protects information from -unauthorized disclosure and modification. Cryptographic mechanisms implemented -to protect information integrity include, for example, cryptographic hash -functions which have common application in digital signatures, checksums, and -message authentication codes. - - By specifying a cipher list with the order of ciphers being in a -\"strongest to weakest\" orientation, the system will automatically attempt to -use the strongest cipher for securing SSH connections. - - - " - desc 'rationale', '' - desc 'check', " - Verify the SSH daemon is configured to only implement FIPS-approved -algorithms by running the following command: - - $ grep -E 'Ciphers ' /etc/ssh/sshd_config - - Ciphers aes256-ctr,aes192-ctr, aes128-ctr - - If any ciphers other than \"aes256-ctr\", \"aes192-ctr\", or \"aes128-ctr\" -are listed, the order differs from the example above, the \"Ciphers\" keyword -is missing, or the returned line is commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to allow the SSH daemon to only -implement FIPS-approved algorithms. - - Add the following line (or modify the line to have the required value) to -the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in -a different location if using a version of SSH that is provided by a -third-party vendor): - - Ciphers aes256-ctr,aes192-ctr,aes128-ctr - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000424-GPOS-00188' - tag satisfies: ['SRG-OS-000424-GPOS-00188', 'SRG-OS-000033-GPOS-00014', -'SRG-OS-000394-GPOS-00174'] - tag gid: 'V-238217' - tag rid: 'SV-238217r653826_rule' - tag stig_id: 'UBTU-20-010044' - tag fix_id: 'F-41386r653825_fix' - tag cci: ['CCI-000068', 'CCI-002421', 'CCI-003123'] - tag legacy: [] - tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - - @ciphers_array = inspec.sshd_config.params['ciphers'] - - @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? - - describe @ciphers_array do - it { should be_in %w[ aes256-ctr aes192-ctr aes128-ctr ] } - end -end - diff --git a/controls/V-238218.rb b/controls/V-238218.rb deleted file mode 100644 index ad84559..0000000 --- a/controls/V-238218.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238218' do - title "The Ubuntu operating system must not allow unattended or automatic -login via SSH." - desc "Failure to restrict system access to authenticated users negatively -impacts Ubuntu operating system security." - desc 'rationale', '' - desc 'check', " - Verify that unattended or automatic login via SSH is disabled with the -following command: - - $ egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config - - PermitEmptyPasswords no - PermitUserEnvironment no - - If \"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not -set to \"no\", are missing completely, or are commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to allow the SSH daemon to not allow -unattended or automatic login to the system. - - Add or edit the following lines in the \"/etc/ssh/sshd_config\" file: - - PermitEmptyPasswords no - PermitUserEnvironment no - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000480-GPOS-00229' - tag gid: 'V-238218' - tag rid: 'SV-238218r653829_rule' - tag stig_id: 'UBTU-20-010047' - tag fix_id: 'F-41387r653828_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe sshd_config do - its('PermitEmptyPasswords') { should cmp 'no' } - its('PermitUserEnvironment') { should cmp 'no' } - end -end - diff --git a/controls/V-238219.rb b/controls/V-238219.rb deleted file mode 100644 index d1af560..0000000 --- a/controls/V-238219.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control 'V-238219' do - title "The Ubuntu operating system must be configured so that remote X -connections are disabled, unless to fulfill documented and validated mission -requirements." - desc "The security risk of using X11 forwarding is that the client's X11 -display server may be exposed to attack when the SSH client requests -forwarding. A System Administrator may have a stance in which they want to -protect clients that may expose themselves to attack by unwittingly requesting -X11 forwarding, which can warrant a ''no'' setting. - - X11 forwarding should be enabled with caution. Users with the ability to -bypass file permissions on the remote host (for the user's X11 authorization -database) can access the local X11 display through the forwarded connection. An -attacker may then be able to perform activities such as keystroke monitoring if -the ForwardX11Trusted option is also enabled. - - If X11 services are not required for the system's intended function, they -should be disabled or restricted as appropriate to the system’s needs. - " - desc 'rationale', '' - desc 'check', " - Verify that X11Forwarding is disabled with the following command: - - $ grep -i x11forwarding /etc/ssh/sshd_config | grep -v \"^#\" - - X11Forwarding no - - If the \"X11Forwarding\" keyword is set to \"yes\" and is not documented -with the Information System Security Officer (ISSO) as an operational -requirement or is missing, this is a finding. - " - desc 'fix', " - Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the -\"X11Forwarding\" keyword and set its value to \"no\" (this file may be named -differently or be in a different location if using a version of SSH that is -provided by a third-party vendor): - - X11Forwarding no - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-238219' - tag rid: 'SV-238219r653832_rule' - tag stig_id: 'UBTU-20-010048' - tag fix_id: 'F-41388r653831_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe sshd_config do - its('X11Forwarding') { should cmp 'no' } - end -end - diff --git a/controls/V-238220.rb b/controls/V-238220.rb deleted file mode 100644 index 27a990f..0000000 --- a/controls/V-238220.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control 'V-238220' do - title "The Ubuntu operating system SSH daemon must prevent remote hosts from -connecting to the proxy display." - desc "When X11 forwarding is enabled, there may be additional exposure to -the server and client displays if the sshd proxy display is configured to -listen on the wildcard address. By default, sshd binds the forwarding server -to the loopback address and sets the hostname part of the DISPLAY environment -variable to localhost. This prevents remote hosts from connecting to the proxy -display." - desc 'rationale', '' - desc 'check', " - Verify the SSH daemon prevents remote hosts from connecting to the proxy -display. - - Check the SSH X11UseLocalhost setting with the following command: - - $ sudo grep -i x11uselocalhost /etc/ssh/sshd_config - X11UseLocalhost yes - - If the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is -commented out, this is a finding. - " - desc 'fix', " - Configure the SSH daemon to prevent remote hosts from connecting to the -proxy display. - - Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the -\"X11UseLocalhost\" keyword and set its value to \"yes\" (this file may be -named differently or be in a different location if using a version of SSH that -is provided by a third-party vendor): - - X11UseLocalhost yes - - Restart the SSH daemon for the changes to take effect: - - $ sudo systemctl restart sshd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-238220' - tag rid: 'SV-238220r653835_rule' - tag stig_id: 'UBTU-20-010049' - tag fix_id: 'F-41389r653834_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe sshd_config do - its('X11UseLocalhost') { should cmp 'yes' } - end -end - diff --git a/controls/V-238221.rb b/controls/V-238221.rb deleted file mode 100644 index fca61c5..0000000 --- a/controls/V-238221.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control 'V-238221' do - title "The Ubuntu operating system must enforce password complexity by -requiring that at least one upper-case character be used." - desc "Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces password complexity by -requiring that at least one upper-case character be used. - - Determine if the field \"ucredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - - $ grep -i \"ucredit\" /etc/security/pwquality.conf - ucredit=-1 - - If the \"ucredit\" parameter is greater than \"-1\" or is commented out, -this is a finding. - " - desc 'fix', " - Add or update the \"/etc/security/pwquality.conf\" file to contain the -\"ucredit\" parameter: - - ucredit=-1 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000069-GPOS-00037' - tag gid: 'V-238221' - tag rid: 'SV-238221r653838_rule' - tag stig_id: 'UBTU-20-010050' - tag fix_id: 'F-41390r653837_fix' - tag cci: ['CCI-000192'] - tag legacy: [] - tag nist: ['IA-5 (1) (a)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('ucredit') { should cmp -1 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238222.rb b/controls/V-238222.rb deleted file mode 100644 index dcec0e4..0000000 --- a/controls/V-238222.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control 'V-238222' do - title "The Ubuntu operating system must enforce password complexity by -requiring that at least one lower-case character be used." - desc "Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces password complexity by -requiring that at least one lower-case character be used. - - Determine if the field \"lcredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - - $ grep -i \"lcredit\" /etc/security/pwquality.conf - lcredit=-1 - - If the \"lcredit\" parameter is greater than \"-1\" or is commented out, -this is a finding. - " - desc 'fix', " - Add or update the \"/etc/security/pwquality.conf\" file to contain the -\"lcredit\" parameter: - - lcredit=-1 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000070-GPOS-00038' - tag gid: 'V-238222' - tag rid: 'SV-238222r653841_rule' - tag stig_id: 'UBTU-20-010051' - tag fix_id: 'F-41391r653840_fix' - tag cci: ['CCI-000193'] - tag legacy: [] - tag nist: ['IA-5 (1) (a)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('lcredit') { should cmp -1 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238223.rb b/controls/V-238223.rb deleted file mode 100644 index 39db287..0000000 --- a/controls/V-238223.rb +++ /dev/null @@ -1,64 +0,0 @@ -# encoding: UTF-8 - -control 'V-238223' do - title "The Ubuntu operating system must enforce password complexity by -requiring that at least one numeric character be used." - desc "Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor of several that determines how long it -takes to crack a password. The more complex the password, the greater the -number of possible combinations that need to be tested before the password is -compromised. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces password complexity by -requiring that at least one numeric character be used. - - Determine if the field \"dcredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - - $ grep -i \"dcredit\" /etc/security/pwquality.conf - dcredit=-1 - - If the \"dcredit\" parameter is greater than \"-1\" or is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce password complexity by -requiring that at least one numeric character be used. - - Add or update the \"/etc/security/pwquality.conf\" file to contain the -\"dcredit\" parameter: - - dcredit=-1 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000071-GPOS-00039' - tag gid: 'V-238223' - tag rid: 'SV-238223r653844_rule' - tag stig_id: 'UBTU-20-010052' - tag fix_id: 'F-41392r653843_fix' - tag cci: ['CCI-000194'] - tag legacy: [] - tag nist: ['IA-5 (1) (a)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('dcredit') { should cmp -1 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238224.rb b/controls/V-238224.rb deleted file mode 100644 index fa447cc..0000000 --- a/controls/V-238224.rb +++ /dev/null @@ -1,68 +0,0 @@ -# encoding: UTF-8 - -control 'V-238224' do - title "The Ubuntu operating system must require the change of at least 8 -characters when passwords are changed." - desc " If the operating system allows the user to consecutively reuse -extensive portions of passwords, this increases the chances of password -compromise by increasing the window of opportunity for attempts at guessing and -brute-force attacks. - - The number of changed characters refers to the number of changes required -with respect to the total number of positions in the current password. In other -words, characters may be the same within the two passwords; however, the -positions of the like characters must be different. - - If the password length is an odd number then number of changed characters -must be rounded up. For example, a password length of 15 characters must -require the change of at least 8 characters. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system requires the change of at least eight -characters when passwords are changed. - - Determine if the field \"difok\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - - $ grep -i \"difok\" /etc/security/pwquality.conf - difok=8 - - If the \"difok\" parameter is less than \"8\" or is commented out, this is -a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to require the change of at least -eight characters when passwords are changed. - - Add or update the \"/etc/security/pwquality.conf\" file to include the -\"difok=8\" parameter: - - difok=8 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000072-GPOS-00040' - tag gid: 'V-238224' - tag rid: 'SV-238224r653847_rule' - tag stig_id: 'UBTU-20-010053' - tag fix_id: 'F-41393r653846_fix' - tag cci: ['CCI-000195'] - tag legacy: [] - tag nist: ['IA-5 (1) (b)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('difok') { should cmp >= 8 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238225.rb b/controls/V-238225.rb deleted file mode 100644 index 744929f..0000000 --- a/controls/V-238225.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control 'V-238225' do - title "The Ubuntu operating system must enforce a minimum 15-character -password length." - desc "The shorter the password, the lower the number of possible -combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a -password in resisting attempts at guessing and brute-force attacks. Password -length is one factor of several that helps to determine strength and how long -it takes to crack a password. Use of more characters in a password helps to -exponentially increase the time and/or resources required to compromise the -password. - " - desc 'rationale', '' - desc 'check', " - Verify the pwquality configuration file enforces a minimum 15-character -password length by running the following command: - - $ grep -i ^minlen /etc/security/pwquality.conf - minlen=15 - - If \"minlen\" parameter value is not \"15\" or higher or is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce a minimum 15-character -password length. - - Add or modify the \"minlen\" parameter value to the -\"/etc/security/pwquality.conf\" file: - - minlen=15 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000078-GPOS-00046' - tag gid: 'V-238225' - tag rid: 'SV-238225r653850_rule' - tag stig_id: 'UBTU-20-010054' - tag fix_id: 'F-41394r653849_fix' - tag cci: ['CCI-000205'] - tag legacy: [] - tag nist: ['IA-5 (1) (a)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('minlen') { should cmp >= 15 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238226.rb b/controls/V-238226.rb deleted file mode 100644 index 1740902..0000000 --- a/controls/V-238226.rb +++ /dev/null @@ -1,63 +0,0 @@ -# encoding: UTF-8 - -control 'V-238226' do - title "The Ubuntu operating system must enforce password complexity by -requiring that at least one special character be used." - desc "Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity or strength is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. - - Password complexity is one factor in determining how long it takes to crack -a password. The more complex the password, the greater the number of possible -combinations that need to be tested before the password is compromised. - - Special characters are those characters that are not alphanumeric. Examples -include: ~ ! @ # $ % ^ *. - " - desc 'rationale', '' - desc 'check', " - Determine if the field \"ocredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - - $ grep -i \"ocredit\" /etc/security/pwquality.conf - ocredit=-1 - - If the \"ocredit\" parameter is greater than \"-1\" or is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce password complexity by -requiring that at least one special character be used. - - Add or update the following line in the \"/etc/security/pwquality.conf\" -file to include the \"ocredit=-1\" parameter: - - ocredit=-1 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000266-GPOS-00101' - tag gid: 'V-238226' - tag rid: 'SV-238226r653853_rule' - tag stig_id: 'UBTU-20-010055' - tag fix_id: 'F-41395r653852_fix' - tag cci: ['CCI-001619'] - tag legacy: [] - tag nist: ['IA-5 (1) (a)'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('ocredit') { should cmp -1 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238227.rb b/controls/V-238227.rb deleted file mode 100644 index 91f4260..0000000 --- a/controls/V-238227.rb +++ /dev/null @@ -1,56 +0,0 @@ -# encoding: UTF-8 - -control 'V-238227' do - title "The Ubuntu operating system must prevent the use of dictionary words -for passwords." - desc "If the Ubuntu operating system allows the user to select passwords -based on dictionary words, then this increases the chances of password -compromise by increasing the opportunity for successful guesses and brute-force -attacks." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system uses the \"cracklib\" library to prevent -the use of dictionary words with the following command: - - $ grep dictcheck /etc/security/pwquality.conf - - dictcheck=1 - - If the \"dictcheck\" parameter is not set to \"1\" or is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to prevent the use of dictionary -words for passwords. - - Add or update the following line in the \"/etc/security/pwquality.conf\" -file to include the \"dictcheck=1\" parameter: - - dictcheck=1 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00225' - tag gid: 'V-238227' - tag rid: 'SV-238227r653856_rule' - tag stig_id: 'UBTU-20-010056' - tag fix_id: 'F-41396r653855_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - config_file = '/etc/security/pwquality.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('dictcheck') { should cmp 1 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238228.rb b/controls/V-238228.rb deleted file mode 100644 index 3654612..0000000 --- a/controls/V-238228.rb +++ /dev/null @@ -1,90 +0,0 @@ -# encoding: UTF-8 - -control 'V-238228' do - title "The Ubuntu operating system must be configured so that when passwords -are changed or new passwords are established, pwquality must be used." - desc "Use of a complex password helps to increase the time and resources -required to compromise the password. Password complexity, or strength, is a -measure of the effectiveness of a password in resisting attempts at guessing -and brute-force attacks. \"pwquality\" enforces complex password construction -configuration and has the ability to limit brute-force attacks on the system." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system has the \"libpam-pwquality\" package -installed by running the following command: - - $ dpkg -l libpam-pwquality - - ii libpam-pwquality:amd64 1.4.0-2 amd64 - PAM module to check password strength - - If \"libpam-pwquality\" is not installed, this is a finding. - - Verify that the operating system uses \"pwquality\" to enforce the password -complexity rules. - - Verify the pwquality module is being enforced by the Ubuntu operating -system by running the following command: - - $ grep -i enforcing /etc/security/pwquality.conf - - enforcing = 1 - - If the value of \"enforcing\" is not \"1\" or the line is commented out, -this is a finding. - - Check for the use of \"pwquality\" with the following command: - - $ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality - - password requisite pam_pwquality.so retry=3 - - If no output is returned or the line is commented out, this is a finding. - - If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a -finding. - " - desc 'fix', " - Configure the operating system to use \"pwquality\" to enforce password -complexity rules. - - Install the \"pam_pwquality\" package by using the following command: - - $ sudo apt-get install libpam-pwquality -y - - Add the following line to \"/etc/security/pwquality.conf\" (or modify the -line to have the required value): - - enforcing = 1 - - Add the following line to \"/etc/pam.d/common-password\" (or modify the -line to have the required value): - - password requisite pam_pwquality.so retry=3 - - Note: The value of \"retry\" should be between \"1\" and \"3\". - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00225' - tag gid: 'V-238228' - tag rid: 'SV-238228r653859_rule' - tag stig_id: 'UBTU-20-010057' - tag fix_id: 'F-41397r653858_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe package('libpam-pwquality') do - it { should be_installed } - end - - describe file('/etc/security/pwquality.conf') do - its('content') { should match '^enforcing\s+=\s+1$' } - end - - describe file('/etc/pam.d/common-password') do - its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } - end -end - diff --git a/controls/V-238229.rb b/controls/V-238229.rb deleted file mode 100644 index 3df32cc..0000000 --- a/controls/V-238229.rb +++ /dev/null @@ -1,90 +0,0 @@ -# encoding: UTF-8 - -control 'V-238229' do - title "The Ubuntu operating system, for PKI-based authentication, must -validate certificates by constructing a certification path (which includes -status information) to an accepted trust anchor." - desc "Without path validation, an informed trust decision by the relying -party cannot be made when presented with any certificate not already explicitly -trusted. - - A trust anchor is an authoritative entity represented via a public key and -associated data. It is used in the context of public key infrastructures, X.509 -digital certificates, and DNSSEC. - - When there is a chain of trust, usually the top entity to be trusted -becomes the trust anchor; it can be, for example, a Certification Authority -(CA). A certification path starts with the subject certificate and proceeds -through a number of intermediate certificates up to a trusted root certificate, -typically issued by a trusted CA. - - This requirement verifies that a certification path to an accepted trust -anchor is used for certificate validation and that the path includes status -information. Path validation is necessary for a relying party to make an -informed trust decision when presented with any certificate not already -explicitly trusted. Status information for certification paths includes -certificate revocation lists or online certificate status protocol responses. -Validation of the certificate status information is out of scope for this -requirement. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system, for PKI-based authentication, has valid -certificates by constructing a certification path to an accepted trust anchor. - - Determine which pkcs11 module is being used via the \"use_pkcs11_module\" -in \"/etc/pam_pkcs11/pam_pkcs11.conf\" and then ensure \"ca\" is enabled in -\"cert_policy\" with the following command: - - $ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk -'/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep -cert_policy | grep ca - - cert_policy = ca,signature,ocsp_on; - - If \"cert_policy\" is not set to \"ca\" or the line is commented out, this -is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system, for PKI-based authentication, to -validate certificates by constructing a certification path to an accepted trust -anchor. - - Determine which pkcs11 module is being used via the \"use_pkcs11_module\" -in \"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in -\"cert_policy\". - - Add or update the \"cert_policy\" to ensure \"ca\" is enabled: - - cert_policy = ca,signature,ocsp_on; - - If the system is missing an \"/etc/pam_pkcs11/\" directory and an -\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and -modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000066-GPOS-00034' - tag gid: 'V-238229' - tag rid: 'SV-238229r653862_rule' - tag stig_id: 'UBTU-20-010060' - tag fix_id: 'F-41398r653861_fix' - tag cci: ['CCI-000185'] - tag legacy: [] - tag nist: ['IA-5 (2) (a)'] - - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('use_pkcs11_module') { should_not be_nil } - its('cert_policy') { should include 'ca' } - end - else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238230.rb b/controls/V-238230.rb deleted file mode 100644 index 0472f80..0000000 --- a/controls/V-238230.rb +++ /dev/null @@ -1,67 +0,0 @@ -# encoding: UTF-8 - -control 'V-238230' do - title "The Ubuntu operating system must implement multifactor authentication -for remote access to privileged accounts in such a way that one of the factors -is provided by a device separate from the system gaining access." - desc "Using an authentication device, such as a CAC or token that is -separate from the information system, ensures that even if the information -system is compromised, that compromise will not affect credentials stored on -the authentication device. - - Multifactor solutions that require devices separate from information -systems gaining access include, for example, hardware tokens providing -time-based or challenge-response authenticators and smart cards such as the -U.S. Government Personal Identity Verification card and the DoD Common Access -Card. - - A privileged account is defined as an information system account with -authorizations of a privileged user. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - This requirement only applies to components where this is specific to the -function of the device or has the concept of an organizational user (e.g., VPN, -proxy capability). This does not apply to authentication for the purpose of -configuring the device itself (management). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system has the packages required for -multifactor authentication installed with the following commands: - - $ dpkg -l | grep libpam-pkcs11 - - ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for -using PKCS#11 smart cards - - If the \"libpam-pkcs11\" package is not installed, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to implement multifactor -authentication by installing the required packages. - - Install the \"libpam-pkcs11\" package on the system with the following -command: - - $ sudo apt install libpam-pkcs11 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000375-GPOS-00160' - tag gid: 'V-238230' - tag rid: 'SV-238230r653865_rule' - tag stig_id: 'UBTU-20-010063' - tag fix_id: 'F-41399r653864_fix' - tag cci: ['CCI-001948'] - tag legacy: [] - tag nist: ['IA-2 (11)'] - - describe package('libpam-pkcs11') do - it { should be_installed } - end -end - diff --git a/controls/V-238231.rb b/controls/V-238231.rb deleted file mode 100644 index 16d99ce..0000000 --- a/controls/V-238231.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238231' do - title "The Ubuntu operating system must accept Personal Identity Verification -(PIV) credentials." - desc "The use of PIV credentials facilitates standardization and reduces the -risk of unauthorized access. - - DoD has mandated the use of the CAC to support identity management and -personal authentication for systems covered under Homeland Security -Presidential Directive (HSPD) 12, as well as making the CAC a primary component -of layered protection for national security systems. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system accepts PIV credentials. - - Verify the \"opensc-pcks11\" package is installed on the system with the -following command: - - $ dpkg -l | grep opensc-pkcs11 - - ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card -utilities with support for PKCS#15 compatible cards - - If the \"opensc-pcks11\" package is not installed, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to accept PIV credentials. - - Install the \"opensc-pkcs11\" package using the following command: - - $ sudo apt-get install opensc-pkcs11 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000376-GPOS-00161' - tag gid: 'V-238231' - tag rid: 'SV-238231r653868_rule' - tag stig_id: 'UBTU-20-010064' - tag fix_id: 'F-41400r653867_fix' - tag cci: ['CCI-001953'] - tag legacy: [] - tag nist: ['IA-2 (12)'] - - describe package('opensc-pkcs11') do - it { should be_installed } - end -end - diff --git a/controls/V-238232.rb b/controls/V-238232.rb deleted file mode 100644 index 6a9e4f8..0000000 --- a/controls/V-238232.rb +++ /dev/null @@ -1,60 +0,0 @@ -# encoding: UTF-8 - -control 'V-238232' do - title "The Ubuntu operating system must electronically verify Personal -Identity Verification (PIV) credentials." - desc "The use of PIV credentials facilitates standardization and reduces the -risk of unauthorized access. - - DoD has mandated the use of the CAC to support identity management and -personal authentication for systems covered under Homeland Security -Presidential Directive (HSPD) 12, as well as making the CAC a primary component -of layered protection for national security systems. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system electronically verifies PIV credentials. - - Verify that certificate status checking for multifactor authentication is -implemented with the following command: - - $ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk -'/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep -cert_policy | grep ocsp_on - - cert_policy = ca,signature,ocsp_on; - - If \"cert_policy\" is not set to \"ocsp_on\", or the line is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to do certificate status checking for -multifactor authentication. - - Modify all of the \"cert_policy\" lines in -\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\". - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000377-GPOS-00162' - tag gid: 'V-238232' - tag rid: 'SV-238232r653871_rule' - tag stig_id: 'UBTU-20-010065' - tag fix_id: 'F-41401r653870_fix' - tag cci: ['CCI-001954'] - tag legacy: [] - tag nist: ['IA-2 (12)'] - - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'ocsp_on' } - end - else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238233.rb b/controls/V-238233.rb deleted file mode 100644 index ef57135..0000000 --- a/controls/V-238233.rb +++ /dev/null @@ -1,69 +0,0 @@ -# encoding: UTF-8 - -control 'V-238233' do - title "The Ubuntu operating system for PKI-based authentication, must -implement a local cache of revocation data in case of the inability to access -revocation information via the network." - desc "Without configuring a local cache of revocation data, there is the -potential to allow access to users who are no longer authorized (users with -revoked certificates)." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system, for PKI-based authentication, uses -local revocation data when unable to access it from the network. - - Verify that \"crl_offline\" or \"crl_auto\" is part of the \"cert_policy\" -definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the following command: - - # sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- -'crl_auto|crl_offline' - - cert_policy = ca,signature,ocsp_on,crl_auto; - - If \"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system, for PKI-based authentication, to use -local revocation data when unable to access the network to obtain it remotely. - - Add or update the \"cert_policy\" option in -\"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or -\"crl_offline\". - - cert_policy = ca,signature,ocsp_on, crl_auto; - - If the system is missing an \"/etc/pam_pkcs11/\" directory and an -\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and -modify accordingly at -\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000384-GPOS-00167' - tag gid: 'V-238233' - tag rid: 'SV-238233r653874_rule' - tag stig_id: 'UBTU-20-010066' - tag fix_id: 'F-41402r653873_fix' - tag cci: ['CCI-001991'] - tag legacy: [] - tag nist: ['IA-5 (2) (d)'] - - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe.one do - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'crl_auto' } - end - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'crl_offline' } - end - end - else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238234.rb b/controls/V-238234.rb deleted file mode 100644 index 8735b26..0000000 --- a/controls/V-238234.rb +++ /dev/null @@ -1,58 +0,0 @@ -# encoding: UTF-8 - -control 'V-238234' do - title "The Ubuntu operating system must prohibit password reuse for a minimum -of five generations." - desc "Password complexity, or strength, is a measure of the effectiveness of -a password in resisting attempts at guessing and brute-force attacks. If the -information system or application allows the user to consecutively reuse their -password when that password has exceeded its defined lifetime, the end result -is a password that is not changed as per policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system prevents passwords from being reused for -a minimum of five generations by running the following command: - - $ grep -i remember /etc/pam.d/common-password - - password [success=1 default=ignore] pam_unix.so obsecure sha512 shadow -remember=5 rounds=5000 - - If the \"remember\" parameter value is not greater than or equal to \"5\", -is commented out, or is not set at all, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to prevent passwords from being -reused for a minimum of five generations. - - Add or modify the \"remember\" parameter value to the following line in -\"/etc/pam.d/common-password\" file: - - password [success=1 default=ignore] pam_unix.so obsecure sha512 shadow -remember=5 rounds=5000 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000077-GPOS-00045' - tag satisfies: ['SRG-OS-000077-GPOS-00045', 'SRG-OS-000073-GPOS-00041'] - tag gid: 'V-238234' - tag rid: 'SV-238234r685225_rule' - tag stig_id: 'UBTU-20-010070' - tag fix_id: 'F-41403r653876_fix' - tag cci: ['CCI-000196', 'CCI-000200'] - tag legacy: [] - tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)'] - - describe file('/etc/pam.d/common-password') do - it { should exist } - end - - describe command("grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\([^ ]*\\).*/\\1/'") do - its('exit_status') { should eq 0 } - its('stdout.strip') { should cmp >= 5 } - end -end - diff --git a/controls/V-238235.rb b/controls/V-238235.rb deleted file mode 100644 index 7a919cb..0000000 --- a/controls/V-238235.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control 'V-238235' do - title "The Ubuntu operating system must automatically lock an account until -the locked account is released by an administrator when three unsuccessful -logon attempts have been made." - desc "By limiting the number of failed logon attempts, the risk of -unauthorized system access via user password guessing, otherwise known as -brute-forcing, is reduced. Limits are imposed by locking the account. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system locks an account after three -unsuccessful login attempts with following command: - - $ grep pam_tally2 /etc/pam.d/common-auth - - auth required pam_tally2.so onerr=fail deny=3 - - If no line is returned or the line is commented out, this is a finding. - - If the line is missing \"onerr=fail\", this is a finding. - - If the line has \"deny\" set to a value more than \"3\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to lock an account after three -unsuccessful login attempts. - - Edit the \"/etc/pam.d/common-auth\" file. The \"pam_tally2.so\" entry must -be placed at the top of the \"auth\" stack. - - Add the following line before the first \"auth\" entry in the file: - - auth required pam_tally2.so onerr=fail deny=3 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000329-GPOS-00128' - tag satisfies: ['SRG-OS-000329-GPOS-00128', 'SRG-OS-000021-GPOS-00005'] - tag gid: 'V-238235' - tag rid: 'SV-238235r653880_rule' - tag stig_id: 'UBTU-20-010072' - tag fix_id: 'F-41404r653879_fix' - tag cci: ['CCI-000044', 'CCI-002238'] - tag legacy: [] - tag nist: ['AC-7 a', 'AC-7 b'] - - describe file('/etc/pam.d/common-auth') do - it { should exist } - end - - describe command('grep pam_tally /etc/pam.d/common-auth') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } - its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } - end -end - diff --git a/controls/V-238236.rb b/controls/V-238236.rb deleted file mode 100644 index 0fb6159..0000000 --- a/controls/V-238236.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238236' do - title "The Ubuntu operating system must be configured so that the script -which runs each 30 days or less to check file integrity is the default one." - desc "Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - Notifications provided by information systems include, for example, -electronic alerts to System Administrators, messages to local computer -consoles, and/or hardware indications, such as lights. - - This requirement applies to the Ubuntu operating system performing security -function verification/testing and/or systems and environments that require this -functionality. - " - desc 'rationale', '' - desc 'check', " - Verify that the Advanced Intrusion Detection Environment (AIDE) default -script used to check file integrity each 30 days or less is unchanged. - - Download the original aide-common package in the /tmp directory: - - $ cd /tmp; apt download aide-common - - Fetch the SHA1 of the original script file: - - $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO -./usr/share/aide/config/cron.daily/aide | sha1sum - 32958374f18871e3f7dda27a58d721f471843e26 - - - Compare with the SHA1 of the file in the daily or monthly cron directory: - - $ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null - 32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide - - If there is no AIDE script file in the cron directories, or the SHA1 value -of at least one file in the daily or monthly cron directory does not match the -SHA1 of the original, this is a finding. - " - desc 'fix', " - The cron file for AIDE is fairly complex as it creates the report. This -file is installed with the \"aide-common\" package, and the default can be -restored by copying it from the package: - - Download the original package to the /tmp dir: - - $ cd /tmp; apt download aide-common - - Extract the aide script to its original place: - - $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | sudo tar -x -./usr/share/aide/config/cron.daily/aide -C / - - Copy it to the cron.daily directory: - - $ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000446-GPOS-00200' - tag gid: 'V-238236' - tag rid: 'SV-238236r653883_rule' - tag stig_id: 'UBTU-20-010074' - tag fix_id: 'F-41405r653882_fix' - tag cci: ['CCI-002699'] - tag legacy: [] - tag nist: ['SI-6 b'] - - describe("Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.") do - skip("manual test") - end -end - diff --git a/controls/V-238237.rb b/controls/V-238237.rb deleted file mode 100644 index 466630e..0000000 --- a/controls/V-238237.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control 'V-238237' do - title "The Ubuntu operating system must enforce a delay of at least 4 seconds -between logon prompts following a failed logon attempt." - desc "Limiting the number of logon attempts over a certain time interval -reduces the chances that an unauthorized user may gain access to an account." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system enforces a delay of at least 4 seconds -between logon prompts following a failed logon attempt with the following -command: - - $ grep pam_faildelay /etc/pam.d/common-auth - - auth required pam_faildelay.so delay=4000000 - - If the line is not present or is commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enforce a delay of at least 4 -seconds between logon prompts following a failed logon attempt. - - Edit the file \"/etc/pam.d/common-auth\" and set the parameter -\"pam_faildelay\" to a value of 4000000 or greater: - - auth required pam_faildelay.so delay=4000000 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000480-GPOS-00226' - tag gid: 'V-238237' - tag rid: 'SV-238237r653886_rule' - tag stig_id: 'UBTU-20-010075' - tag fix_id: 'F-41406r653885_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe file('/etc/pam.d/common-auth') do - it { should exist } - end - - describe command('grep pam_faildelay /etc/pam.d/common-auth') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/ } - end - - file('/etc/pam.d/common-auth').content.to_s.scan(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=(\d+).*$/).flatten.each do |entry| - describe entry do - it { should cmp >= 4_000_000 } - end - end -end - diff --git a/controls/V-238238.rb b/controls/V-238238.rb deleted file mode 100644 index b1aaa1e..0000000 --- a/controls/V-238238.rb +++ /dev/null @@ -1,90 +0,0 @@ -# encoding: UTF-8 - -control 'V-238238' do - title "The Ubuntu operating system must generate audit records for all -account creations, modifications, disabling, and termination events that affect -/etc/passwd." - desc "Once an attacker establishes access to a system, the attacker often -attempts to create a persistent method of reestablishing access. One way to -accomplish this is for the attacker to create an account. Auditing account -creation actions provides logging that can be used for forensic purposes. - - To address access requirements, many operating systems may be integrated -with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for all account -creations, modifications, disabling, and termination events that affect -\"/etc/passwd\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep passwd - - -w /etc/passwd -p wa -k usergroup_modification - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records for all -account creations, modifications, disabling, and termination events that affect -\"/etc/passwd\". - - Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - - -w /etc/passwd -p wa -k usergroup_modification - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000004-GPOS-00004' - tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', -'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', -'SRG-OS-000303-GPOS-00120', 'SRG-OS-000458-GPOS-00203', -'SRG-OS-000463-GPOS-00207', 'SRG-OS-000476-GPOS-00221'] - tag gid: 'V-238238' - tag rid: 'SV-238238r653889_rule' - tag stig_id: 'UBTU-20-010100' - tag fix_id: 'F-41407r653888_fix' - tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', -'CCI-001405', 'CCI-002130'] - tag legacy: [] - tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AC-2 -(4)"] - - @audit_file = '/etc/passwd' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238239.rb b/controls/V-238239.rb deleted file mode 100644 index 42d4d4c..0000000 --- a/controls/V-238239.rb +++ /dev/null @@ -1,89 +0,0 @@ -# encoding: UTF-8 - -control 'V-238239' do - title "The Ubuntu operating system must generate audit records for all -account creations, modifications, disabling, and termination events that affect -/etc/group." - desc "Once an attacker establishes access to a system, the attacker often -attempts to create a persistent method of reestablishing access. One way to -accomplish this is for the attacker to create an account. Auditing account -creation actions provides logging that can be used for forensic purposes. - - To address access requirements, many operating systems may be integrated -with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for all account -creations, modifications, disabling, and termination events that affect -\"/etc/group\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep group - - -w /etc/group -p wa -k usergroup_modification - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records for all -account creations, modifications, disabling, and termination events that affect -\"/etc/group\". - - Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - - -w /etc/group -p wa -k usergroup_modification - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000004-GPOS-00004' - tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', -'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', -'SRG-OS-000303-GPOS-00120', 'SRG-OS-000458-GPOS-00203', -'SRG-OS-000476-GPOS-00221'] - tag gid: 'V-238239' - tag rid: 'SV-238239r653892_rule' - tag stig_id: 'UBTU-20-010101' - tag fix_id: 'F-41408r653891_fix' - tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', -'CCI-001405', 'CCI-002130'] - tag legacy: [] - tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AC-2 -(4)"] - - @audit_file = '/etc/group' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238240.rb b/controls/V-238240.rb deleted file mode 100644 index b89f18b..0000000 --- a/controls/V-238240.rb +++ /dev/null @@ -1,89 +0,0 @@ -# encoding: UTF-8 - -control 'V-238240' do - title "The Ubuntu operating system must generate audit records for all -account creations, modifications, disabling, and termination events that affect -/etc/shadow." - desc "Once an attacker establishes access to a system, the attacker often -attempts to create a persistent method of reestablishing access. One way to -accomplish this is for the attacker to create an account. Auditing account -creation actions provides logging that can be used for forensic purposes. - - To address access requirements, many operating systems may be integrated -with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for all account -creations, modifications, disabling, and termination events that affect -\"/etc/shadow\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep shadow - - -w /etc/shadow -p wa -k usergroup_modification - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records for all -account creations, modifications, disabling, and termination events that affect -\"/etc/shadow\". - - Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - - -w /etc/shadow -p wa -k usergroup_modification - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000004-GPOS-00004' - tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', -'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', -'SRG-OS-000303-GPOS-00120', 'SRG-OS-000458-GPOS-00203', -'SRG-OS-000476-GPOS-00221'] - tag gid: 'V-238240' - tag rid: 'SV-238240r653895_rule' - tag stig_id: 'UBTU-20-010102' - tag fix_id: 'F-41409r653894_fix' - tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', -'CCI-001405', 'CCI-002130'] - tag legacy: [] - tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AC-2 -(4)"] - - @audit_file = '/etc/shadow' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238241.rb b/controls/V-238241.rb deleted file mode 100644 index 18b58df..0000000 --- a/controls/V-238241.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: UTF-8 - -control 'V-238241' do - title "The Ubuntu operating system must generate audit records for all -account creations, modifications, disabling, and termination events that affect -/etc/gshadow." - desc "Once an attacker establishes access to a system, the attacker often -attempts to create a persistent method of reestablishing access. One way to -accomplish this is for the attacker to create an account. Auditing account -creation actions provides logging that can be used for forensic purposes. - - To address access requirements, many operating systems may be integrated -with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for all account -creations, modifications, disabling, and termination events that affect -\"/etc/gshadow\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep gshadow - - -w /etc/gshadow -p wa -k usergroup_modification - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records for all -account creations, modifications, disabling, and termination events that affect -\"/etc/gshadow\". - - Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - - -w /etc/gshadow -p wa -k usergroup_modification - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000004-GPOS-00004' - tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', -'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', -'SRG-OS-000303-GPOS-00120', 'SRG-OS-000458-GPOS-00203', -'SRG-OS-000476-GPOS-00221'] - tag gid: 'V-238241' - tag rid: 'SV-238241r653898_rule' - tag stig_id: 'UBTU-20-010103' - tag fix_id: 'F-41410r653897_fix' - tag cci: ['CCI-000172', 'CCI-001403', 'CCI-001404', 'CCI-001405', -'CCI-002130'] - tag legacy: [] - tag nist: ['AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)'] - - @audit_file = '/etc/gshadow' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238242.rb b/controls/V-238242.rb deleted file mode 100644 index b22c5f2..0000000 --- a/controls/V-238242.rb +++ /dev/null @@ -1,89 +0,0 @@ -# encoding: UTF-8 - -control 'V-238242' do - title "The Ubuntu operating system must generate audit records for all -account creations, modifications, disabling, and termination events that affect -/etc/opasswd." - desc "Once an attacker establishes access to a system, the attacker often -attempts to create a persistent method of reestablishing access. One way to -accomplish this is for the attacker to create an account. Auditing account -creation actions provides logging that can be used for forensic purposes. - - To address access requirements, many operating systems may be integrated -with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for all account -creations, modifications, disabling, and termination events that affect -\"/etc/security/opasswd\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep opasswd - - -w /etc/security/opasswd -p wa -k usergroup_modification - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records for all -account creations, modifications, disabling, and termination events that affect -\"/etc/security/opasswd\". - - Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - - -w /etc/security/opasswd -p wa -k usergroup_modification - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000004-GPOS-00004' - tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', -'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', -'SRG-OS-000303-GPOS-00120', 'SRG-OS-000458-GPOS-00203', -'SRG-OS-000476-GPOS-00221'] - tag gid: 'V-238242' - tag rid: 'SV-238242r653901_rule' - tag stig_id: 'UBTU-20-010104' - tag fix_id: 'F-41411r653900_fix' - tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', -'CCI-001405', 'CCI-002130'] - tag legacy: [] - tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AC-2 -(4)"] - - @audit_file = '/etc/security/opasswd' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238243.rb b/controls/V-238243.rb deleted file mode 100644 index a72c40f..0000000 --- a/controls/V-238243.rb +++ /dev/null @@ -1,68 +0,0 @@ -# encoding: UTF-8 - -control 'V-238243' do - title "The Ubuntu operating system must alert the ISSO and SA (at a minimum) -in the event of an audit processing failure." - desc "It is critical for the appropriate personnel to be aware if a system -is at risk of failing to process audit logs as required. Without this -notification, the security personnel may be unaware of an impending failure of -the audit capability, and system operation may be adversely affected. - - Audit processing failures include software/hardware errors, failures in the -audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - - This requirement applies to each audit data storage repository (i.e., -distinct information system component where audit records are stored), the -centralized audit storage capacity of organizations (i.e., all audit data -storage repositories combined), or both. - " - desc 'rationale', '' - desc 'check', " - Verify that the SA and ISSO (at a minimum) are notified in the event of an -audit processing failure with the following command: - - $ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf - - action_mail_acct = - - If the value of the \"action_mail_acct\" keyword is not set to an accounts -for security personnel, the \"action_mail_acct\" keyword is missing, or the -returned line is commented out, this is a finding. - " - desc 'fix', " - Configure \"auditd\" service to notify the SA and ISSO in the event of an -audit processing failure. - - Edit the following line in \"/etc/audit/auditd.conf\" to ensure -administrators are notified via email for those situations: - - action_mail_acct = - - Note: Change \"administrator_account\" to an account for security -personnel. - - Restart the \"auditd\" service so the changes take effect: - - $ sudo systemctl restart auditd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000046-GPOS-00022' - tag gid: 'V-238243' - tag rid: 'SV-238243r653904_rule' - tag stig_id: 'UBTU-20-010117' - tag fix_id: 'F-41412r653903_fix' - tag cci: ['CCI-000139'] - tag legacy: [] - tag nist: ['AU-5 a'] - - action_mail_acct = auditd_conf.action_mail_acct - security_accounts = input('action_mail_acct') - - describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do - subject { security_accounts } - it { should cmp action_mail_acct } - end -end - diff --git a/controls/V-238244.rb b/controls/V-238244.rb deleted file mode 100644 index 8223f12..0000000 --- a/controls/V-238244.rb +++ /dev/null @@ -1,69 +0,0 @@ -# encoding: UTF-8 - -control 'V-238244' do - title "The Ubuntu operating system must shut down by default upon audit -failure (unless availability is an overriding concern)." - desc "It is critical that when the operating system is at risk of failing to -process audit logs as required, it takes action to mitigate the failure. Audit -processing failures include: software/hardware errors; failures in the audit -capturing mechanisms; and audit storage capacity being reached or exceeded. -Responses to audit failure depend upon the nature of the failure mode. - - When availability is an overriding concern, other approved actions in -response to an audit failure are as follows: - - 1) If the failure was caused by the lack of audit record storage capacity, -the operating system must continue generating audit records if possible -(automatically restarting the audit service if necessary), overwriting the -oldest audit records in a first-in-first-out manner. - - 2) If audit records are sent to a centralized collection server and -communication with this server is lost or the server fails, the operating -system must queue audit records locally until communication is restored or -until the audit records are retrieved manually. Upon restoration of the -connection to the centralized collection server, action should be taken to -synchronize the local audit data with the collection server. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system takes the appropriate action when the -audit storage volume is full with the following command: - - $ sudo grep '^disk_full_action' /etc/audit/auditd.conf - - disk_full_action = HALT - - If the value of the \"disk_full_action\" option is not \"SYSLOG\", -\"SINGLE\", or \"HALT\", or the line is commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to shut down by default upon audit -failure (unless availability is an overriding concern). - - Add or update the following line (depending on configuration, -\"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in -\"/etc/audit/auditd.conf\" file: - - disk_full_action = HALT - - Restart the \"auditd\" service so the changes take effect: - - $ sudo systemctl restart auditd.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000047-GPOS-00023' - tag gid: 'V-238244' - tag rid: 'SV-238244r653907_rule' - tag stig_id: 'UBTU-20-010118' - tag fix_id: 'F-41413r653906_fix' - tag cci: ['CCI-000140'] - tag legacy: [] - tag nist: ['AU-5 b'] - - describe auditd_conf do - its('disk_full_action') { should_not be_empty } - its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } - end -end - diff --git a/controls/V-238245.rb b/controls/V-238245.rb deleted file mode 100644 index aa6f28b..0000000 --- a/controls/V-238245.rb +++ /dev/null @@ -1,73 +0,0 @@ -# encoding: UTF-8 - -control 'V-238245' do - title "The Ubuntu operating system must be configured so that audit log files -are not read or write-accessible by unauthorized users." - desc "Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit operating system activity. - - - " - desc 'rationale', '' - desc 'check', " - Verify that the audit log files have a mode of \"0600\" or less permissive. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, determine if the -audit log files have a mode of \"0600\" or less by using the following command: - - $ sudo stat -c \"%n %a\" /var/log/audit/* - /var/log/audit/audit.log 600 - - If the audit log files have a mode more permissive than \"0600\", this is a -finding. - " - desc 'fix', " - Configure the audit log files to have a mode of \"0600\" or less -permissive. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, configure the -audit log files to have a mode of \"0600\" or less permissive by using the -following command: - - $ sudo chmod 0600 /var/log/audit/* - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000057-GPOS-00027' - tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028'] - tag gid: 'V-238245' - tag rid: 'SV-238245r653910_rule' - tag stig_id: 'UBTU-20-010122' - tag fix_id: 'F-41414r653909_fix' - tag cci: ['CCI-000162', 'CCI-000163'] - tag legacy: [] - tag nist: ['AU-9', 'AU-9'] - - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - it { should_not be_more_permissive_than('0600') } - end - else - describe ('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238246.rb b/controls/V-238246.rb deleted file mode 100644 index 8ad2fd9..0000000 --- a/controls/V-238246.rb +++ /dev/null @@ -1,73 +0,0 @@ -# encoding: UTF-8 - -control 'V-238246' do - title "The Ubuntu operating system must be configured to permit only -authorized users ownership of the audit log files." - desc "Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit operating system activity. - - - " - desc 'rationale', '' - desc 'check', " - Verify the audit log files are owned by \"root\" account. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, determine if the -audit log files are owned by the \"root\" user by using the following command: - - $ sudo stat -c \"%n %U\" /var/log/audit/* - /var/log/audit/audit.log root - - If the audit log files are owned by an user other than \"root\", this is a -finding. - " - desc 'fix', " - Configure the audit log directory and its underlying files to be owned by -\"root\" user. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, configure the -audit log files to be owned by \"root\" user by using the following command: - - $ sudo chown root /var/log/audit/* - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000057-GPOS-00027' - tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', -'SRG-OS-000059-GPOS-00029'] - tag gid: 'V-238246' - tag rid: 'SV-238246r653913_rule' - tag stig_id: 'UBTU-20-010123' - tag fix_id: 'F-41415r653912_fix' - tag cci: ['CCI-000162'] - tag legacy: [] - tag nist: ['AU-9'] - - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - its('owner') { should cmp 'root' } - end - else - describe ('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238247.rb b/controls/V-238247.rb deleted file mode 100644 index db2afa1..0000000 --- a/controls/V-238247.rb +++ /dev/null @@ -1,92 +0,0 @@ -# encoding: UTF-8 - -control 'V-238247' do - title "The Ubuntu operating system must permit only authorized groups -ownership of the audit log files." - desc "Unauthorized disclosure of audit records can reveal system and -configuration data to attackers, thus compromising its confidentiality. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit operating system activity. - - - " - desc 'rationale', '' - desc 'check', " - Verify the group owner is set to own newly created audit logs in the audit -configuration file with the following command: - - $ sudo grep -iw log_group /etc/audit/auditd.conf - log_group = adm - - If the value of the \"log_group\" parameter is other than \"root\" or -\"adm\", this is a finding. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, determine if the -audit log files are owned by the \"root\" or \"adm\" group by using the -following command: - - $ sudo stat -c \"%n %G\" /var/log/audit/* - /var/log/audit/audit.log root - - If the audit log files are owned by a group other than \"root\" or \"adm\", -this is a finding. - " - desc 'fix', " - Configure the audit log directory and its underlying files to be owned by -\"adm\" group. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw ^log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, configure the -audit log files to be owned by \"adm\" group by using the following command: - - $ sudo chown :adm /var/log/audit/ - - Set the \"log_group\" parameter of the audit configuration file to the -\"adm\" value so that when a new log file is created, its group owner is -properly set: - - $ sed -i '/^log_group/D' /etc/audit/auditd.conf - $ sed -i /^log_file/a'log_group = adm' /etc/audit/auditd.conf - - Last, signal the audit daemon to reload the configuration file: - - $ sudo systemctl kill auditd -s SIGHUP\" - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000057-GPOS-00027' - tag satisfies: ['SRG-OS-000057-GPOS-00027', 'SRG-OS-000058-GPOS-00028', -'SRG-OS-000059-GPOS-00029'] - tag gid: 'V-238247' - tag rid: 'SV-238247r653916_rule' - tag stig_id: 'UBTU-20-010124' - tag fix_id: 'F-41416r653915_fix' - tag cci: ['CCI-000162'] - tag legacy: [] - tag nist: ['AU-9'] - - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - its('group') { should cmp 'root' } - end - else - describe ('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238248.rb b/controls/V-238248.rb deleted file mode 100644 index 4c2ec80..0000000 --- a/controls/V-238248.rb +++ /dev/null @@ -1,79 +0,0 @@ -# encoding: UTF-8 - -control 'V-238248' do - title "The Ubuntu operating system must be configured so that the audit log -directory is not write-accessible by unauthorized users." - desc "If audit information were to become compromised, then forensic -analysis and discovery of the true source of potentially malicious system -activity is impossible to achieve. - - To ensure the veracity of audit information, the operating system must -protect audit information from unauthorized deletion. This requirement can be -achieved through multiple methods, which will depend upon system architecture -and design. - - Audit information includes all information (e.g., audit records, audit -settings, audit reports) needed to successfully audit information system -activity. - " - desc 'rationale', '' - desc 'check', " - Verify that the audit log directory has a mode of \"0750\" or less -permissive. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw ^log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, determine if the -directory has a mode of \"0750\" or less by using the following command: - - $ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/* - /var/log/audit 750 - /var/log/audit/audit.log 600 - - If the audit log directory has a mode more permissive than \"0750\", this -is a finding. - " - desc 'fix', " - Configure the audit log directory to have a mode of \"0750\" or less -permissive. - - Determine where the audit logs are stored with the following command: - - $ sudo grep -iw ^log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Using the path of the directory containing the audit logs, configure the -audit log directory to have a mode of \"0750\" or less permissive by - using the following command: - - $ sudo chmod -R g-w,o-rwx /var/log/audit - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000059-GPOS-00029' - tag gid: 'V-238248' - tag rid: 'SV-238248r653919_rule' - tag stig_id: 'UBTU-20-010128' - tag fix_id: 'F-41417r653918_fix' - tag cci: ['CCI-000164'] - tag legacy: [] - tag nist: ['AU-9'] - - log_file = auditd_conf.log_file - - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - if log_dir_exists - describe directory(File.dirname(log_file)) do - it { should_not be_more_permissive_than('0750') } - end - else - describe ('Audit directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238249.rb b/controls/V-238249.rb deleted file mode 100644 index fdd1f84..0000000 --- a/controls/V-238249.rb +++ /dev/null @@ -1,72 +0,0 @@ -# encoding: UTF-8 - -control 'V-238249' do - title "The Ubuntu operating system must be configured so that audit -configuration files are not write-accessible by unauthorized users." - desc "Without the capability to restrict which roles and individuals can -select which events are audited, unauthorized personnel may be able to prevent -the auditing of critical events. - - Misconfigured audits may degrade the system's performance by overwhelming -the audit log. Misconfigured audits may also make it more difficult to -establish, correlate, and investigate the events relating to an incident or -identify those responsible for one. - " - desc 'rationale', '' - desc 'check', " - Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by -using the following command: - - $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ - - /etc/audit/: - - -rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf - - -rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules - - -rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev - - -rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules - - drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - /etc/audit/rules.d/: - - -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - - If \"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or -\"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this -is a finding. - " - desc 'fix', " - Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the -following command: - - $ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000063-GPOS-00032' - tag gid: 'V-238249' - tag rid: 'SV-238249r653922_rule' - tag stig_id: 'UBTU-20-010133' - tag fix_id: 'F-41418r653921_fix' - tag cci: ['CCI-000171'] - tag legacy: [] - tag nist: ['AU-12 b'] - - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - - audit_conf_files = files1 + files2 - - audit_conf_files.each do |conf| - describe file(conf) do - it { should_not be_more_permissive_than('0640') } - end - end -end - diff --git a/controls/V-238250.rb b/controls/V-238250.rb deleted file mode 100644 index ef53a39..0000000 --- a/controls/V-238250.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238250' do - title "The Ubuntu operating system must permit only authorized accounts to -own the audit configuration files." - desc "Without the capability to restrict which roles and individuals can -select which events are audited, unauthorized personnel may be able to prevent -the auditing of critical events. - - Misconfigured audits may degrade the system's performance by overwhelming -the audit log. Misconfigured audits may also make it more difficult to -establish, correlate, and investigate the events relating to an incident or -identify those responsible for one. - " - desc 'rationale', '' - desc 'check', " - Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and -\"/etc/audit/auditd.conf\" files are owned by root account by using the -following command: - - $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ - - /etc/audit/: - - drwxr-x--- 3 root root 4096 Nov 25 11:02 . - - drwxr-xr-x 130 root root 12288 Dec 19 13:42 .. - - -rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf - - -rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules - - -rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev - - -rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules - - drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - /etc/audit/rules.d/: - - drwxr-x--- 2 root root 4096 Dec 27 09:56 . - - drwxr-x--- 3 root root 4096 Nov 25 11:02 .. - - -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - - If the \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or -\"/etc/audit/auditd.conf\" file is owned by a user other than \"root\", this is -a finding. - " - desc 'fix', " - Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and -\"/etc/audit/auditd.conf\" files to be owned by root user by using the -following command: - - $ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000063-GPOS-00032' - tag gid: 'V-238250' - tag rid: 'SV-238250r653925_rule' - tag stig_id: 'UBTU-20-010134' - tag fix_id: 'F-41419r653924_fix' - tag cci: ['CCI-000171'] - tag legacy: [] - tag nist: ['AU-12 b'] - - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - - audit_conf_files = files1 + files2 - - audit_conf_files.each do |conf| - describe file(conf) do - its('owner') { should cmp 'root' } - end - end -end - diff --git a/controls/V-238251.rb b/controls/V-238251.rb deleted file mode 100644 index e4330b1..0000000 --- a/controls/V-238251.rb +++ /dev/null @@ -1,72 +0,0 @@ -# encoding: UTF-8 - -control 'V-238251' do - title "The Ubuntu operating system must permit only authorized groups to own -the audit configuration files." - desc "Without the capability to restrict which roles and individuals can -select which events are audited, unauthorized personnel may be able to prevent -the auditing of critical events. - - Misconfigured audits may degrade the system's performance by overwhelming -the audit log. Misconfigured audits may also make it more difficult to -establish, correlate, and investigate the events relating to an incident or -identify those responsible for one. - " - desc 'rationale', '' - desc 'check', " - Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files are owned by root group by using the following -command: - - $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ - - /etc/audit/: - - -rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf - - -rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules - - -rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev - - -rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules - - drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - /etc/audit/rules.d/: - - -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - - If the \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or -\"/etc/audit/auditd.conf\" file is owned by a group other than \"root\", this -is a finding. - " - desc 'fix', " - Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files to be owned by root group by using the -following command: - - $ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000063-GPOS-00032' - tag gid: 'V-238251' - tag rid: 'SV-238251r653928_rule' - tag stig_id: 'UBTU-20-010135' - tag fix_id: 'F-41420r653927_fix' - tag cci: ['CCI-000171'] - tag legacy: [] - tag nist: ['AU-12 b'] - - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - - audit_conf_files = files1 + files2 - - audit_conf_files.each do |conf| - describe file(conf) do - its('group') { should cmp 'root' } - end - end -end - diff --git a/controls/V-238252.rb b/controls/V-238252.rb deleted file mode 100644 index 4e875af..0000000 --- a/controls/V-238252.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238252' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the su command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"su\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep '/bin/su' - - -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 --k privileged-priv_change - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate audit records when -successful/unsuccessful attempts to use the \"su\" command occur. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 --k privileged-priv_change - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238252' - tag rid: 'SV-238252r653931_rule' - tag stig_id: 'UBTU-20-010136' - tag fix_id: 'F-41421r653930_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/bin/su' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238253.rb b/controls/V-238253.rb deleted file mode 100644 index 46c24ed..0000000 --- a/controls/V-238253.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238253' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chfn command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"chfn\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep '/usr/bin/chfn' - - -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-chfn - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"chfn\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-chfn - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238253' - tag rid: 'SV-238253r653934_rule' - tag stig_id: 'UBTU-20-010137' - tag fix_id: 'F-41422r653933_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/chfn' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238254.rb b/controls/V-238254.rb deleted file mode 100644 index 2792bc0..0000000 --- a/controls/V-238254.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238254' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the mount command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"mount\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep '/usr/bin/mount' - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-mount - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"mount\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-mount - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238254' - tag rid: 'SV-238254r653937_rule' - tag stig_id: 'UBTU-20-010138' - tag fix_id: 'F-41423r653936_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/mount' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238255.rb b/controls/V-238255.rb deleted file mode 100644 index 241e590..0000000 --- a/controls/V-238255.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238255' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the umount command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify if the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"umount\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep '/usr/bin/umount' - - -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-umount - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"umount\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-umount - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238255' - tag rid: 'SV-238255r653940_rule' - tag stig_id: 'UBTU-20-010139' - tag fix_id: 'F-41424r653939_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/umount' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238256.rb b/controls/V-238256.rb deleted file mode 100644 index ff41943..0000000 --- a/controls/V-238256.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238256' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the ssh-agent command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"ssh-agent\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep '/usr/bin/ssh-agent' - - -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F -auid!=-1 -k privileged-ssh - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"ssh-agent\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-ssh - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238256' - tag rid: 'SV-238256r653943_rule' - tag stig_id: 'UBTU-20-010140' - tag fix_id: 'F-41425r653942_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/ssh-agent' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238257.rb b/controls/V-238257.rb deleted file mode 100644 index 9552750..0000000 --- a/controls/V-238257.rb +++ /dev/null @@ -1,82 +0,0 @@ -# encoding: UTF-8 - -control 'V-238257' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the ssh-keysign command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"ssh-keysign\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep ssh-keysign - - -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 --F auid!=-1 -k privileged-ssh - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"ssh-keysign\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 --F auid!=4294967295 -k privileged-ssh - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238257' - tag rid: 'SV-238257r653946_rule' - tag stig_id: 'UBTU-20-010141' - tag fix_id: 'F-41426r653945_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/lib/openssh/ssh-keysign' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238258.rb b/controls/V-238258.rb deleted file mode 100644 index b0ce9ba..0000000 --- a/controls/V-238258.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control 'V-238258' do - title "The Ubuntu operating system must generate audit records for any use of -the setxattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"setxattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep setxattr - - -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"setxattr\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k -perm_mod - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k -perm_mod - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238258' - tag rid: 'SV-238258r653949_rule' - tag stig_id: 'UBTU-20-010142' - tag fix_id: 'F-41427r653948_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("setxattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("setxattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238259.rb b/controls/V-238259.rb deleted file mode 100644 index 5f5316b..0000000 --- a/controls/V-238259.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control 'V-238259' do - title "The Ubuntu operating system must generate audit records for any use of -the lsetxattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"lsetxattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep lsetxattr - - -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"lsetxattr\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238259' - tag rid: 'SV-238259r653952_rule' - tag stig_id: 'UBTU-20-010143' - tag fix_id: 'F-41428r653951_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("lsetxattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("lsetxattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238260.rb b/controls/V-238260.rb deleted file mode 100644 index e9669ea..0000000 --- a/controls/V-238260.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control 'V-238260' do - title "The Ubuntu operating system must generate audit records for any use of -the fsetxattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fsetxattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep fsetxattr - - -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fsetxattr\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238260' - tag rid: 'SV-238260r653955_rule' - tag stig_id: 'UBTU-20-010144' - tag fix_id: 'F-41429r653954_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("fsetxattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("fsetxattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238261.rb b/controls/V-238261.rb deleted file mode 100644 index 5089cd2..0000000 --- a/controls/V-238261.rb +++ /dev/null @@ -1,86 +0,0 @@ -# encoding: UTF-8 - -control 'V-238261' do - title "The Ubuntu operating system must generate audit records for any use of -the removexattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"removexattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep removexattr - - -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"removexattr\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 --k perm_mod - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206', -'SRG-OS-000466-GPOS-00210'] - tag gid: 'V-238261' - tag rid: 'SV-238261r653958_rule' - tag stig_id: 'UBTU-20-010145' - tag fix_id: 'F-41430r653957_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("removexattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("removexattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238262.rb b/controls/V-238262.rb deleted file mode 100644 index 174274b..0000000 --- a/controls/V-238262.rb +++ /dev/null @@ -1,86 +0,0 @@ -# encoding: UTF-8 - -control 'V-238262' do - title "The Ubuntu operating system must generate audit records for any use of -the lremovexattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify if the Ubuntu operating system is configured to audit the execution -of the \"lremovexattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | lremovexattr - - -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"lremovexattr\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F -auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F -auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206', -'SRG-OS-000466-GPOS-00210'] - tag gid: 'V-238262' - tag rid: 'SV-238262r653961_rule' - tag stig_id: 'UBTU-20-010146' - tag fix_id: 'F-41431r653960_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("lremovexattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("lremovexattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238263.rb b/controls/V-238263.rb deleted file mode 100644 index 7c35b1e..0000000 --- a/controls/V-238263.rb +++ /dev/null @@ -1,86 +0,0 @@ -# encoding: UTF-8 - -control 'V-238263' do - title "The Ubuntu operating system must generate audit records for any use of -the fremovexattr system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fremovexattr\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep fremovexattr - - -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k -perm_mod - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fremovexattr\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F -auid!=4294967295 -k perm_mod - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F -auid!=4294967295 -k perm_mod - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206', -'SRG-OS-000466-GPOS-00210', 'SRG-OS-000365-GPOS-00152'] - tag gid: 'V-238263' - tag rid: 'SV-238263r653964_rule' - tag stig_id: 'UBTU-20-010147' - tag fix_id: 'F-41432r653963_fix' - tag cci: ['CCI-000172', 'CCI-001814'] - tag legacy: [] - tag nist: ['AU-12 c', 'CM-5 (1)'] - - if os.arch == "x86_64" - describe auditd.syscall("fremovexattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("fremovexattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238264.rb b/controls/V-238264.rb deleted file mode 100644 index 0ee9573..0000000 --- a/controls/V-238264.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238264' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chown system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"chown\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep chown - - -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng - -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"chown\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238264' - tag rid: 'SV-238264r653967_rule' - tag stig_id: 'UBTU-20-010148' - tag fix_id: 'F-41433r653966_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('chown').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('chown').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238265.rb b/controls/V-238265.rb deleted file mode 100644 index e4ea7b4..0000000 --- a/controls/V-238265.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238265' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the fchown system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fchown\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep fchown - - -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fchown\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238265' - tag rid: 'SV-238265r653970_rule' - tag stig_id: 'UBTU-20-010149' - tag fix_id: 'F-41434r653969_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('fchown').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('fchown').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238266.rb b/controls/V-238266.rb deleted file mode 100644 index 61747ef..0000000 --- a/controls/V-238266.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238266' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the fchownat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fchownat\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep fchownat - - -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k -perm_chng - -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k -perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fchownat\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238266' - tag rid: 'SV-238266r653973_rule' - tag stig_id: 'UBTU-20-010150' - tag fix_id: 'F-41435r653972_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('fchownat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('fchownat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238267.rb b/controls/V-238267.rb deleted file mode 100644 index 11f4d31..0000000 --- a/controls/V-238267.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238267' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the lchown system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"lchown\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep lchown - - -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng - -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"lchown\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238267' - tag rid: 'SV-238267r653976_rule' - tag stig_id: 'UBTU-20-010151' - tag fix_id: 'F-41436r653975_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('lchown').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('lchown').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238268.rb b/controls/V-238268.rb deleted file mode 100644 index c6502f3..0000000 --- a/controls/V-238268.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238268' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chmod system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"chmod\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep chmod - - -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng - -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"chmod\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238268' - tag rid: 'SV-238268r653979_rule' - tag stig_id: 'UBTU-20-010152' - tag fix_id: 'F-41437r653978_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('chmod').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('chmod').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238269.rb b/controls/V-238269.rb deleted file mode 100644 index e74343e..0000000 --- a/controls/V-238269.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238269' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the fchmod system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fchmod\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep fchmod - - -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng - -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fchmod\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238269' - tag rid: 'SV-238269r653982_rule' - tag stig_id: 'UBTU-20-010153' - tag fix_id: 'F-41438r653981_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('fchmod').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('fchmod').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238270.rb b/controls/V-238270.rb deleted file mode 100644 index 1666e28..0000000 --- a/controls/V-238270.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238270' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the fchmodat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"fchmodat\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep fchmodat - -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k -perm_chng - -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k -perm_chng - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"fchmodat\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k -perm_chng - -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k -perm_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000462-GPOS-00206'] - tag gid: 'V-238270' - tag rid: 'SV-238270r653985_rule' - tag stig_id: 'UBTU-20-010154' - tag fix_id: 'F-41439r653984_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('fchmodat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('fchmodat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238271.rb b/controls/V-238271.rb deleted file mode 100644 index e22f3e6..0000000 --- a/controls/V-238271.rb +++ /dev/null @@ -1,101 +0,0 @@ -# encoding: UTF-8 - -control 'V-238271' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the open system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"open\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep open - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 --k perm_access - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 --k perm_access - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"open\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238271' - tag rid: 'SV-238271r653988_rule' - tag stig_id: 'UBTU-20-010155' - tag fix_id: 'F-41440r653987_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('open').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('open').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('open').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('open').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238272.rb b/controls/V-238272.rb deleted file mode 100644 index d2efc0f..0000000 --- a/controls/V-238272.rb +++ /dev/null @@ -1,100 +0,0 @@ -# encoding: UTF-8 - -control 'V-238272' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the truncate system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"truncate\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep truncate - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"truncate\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238272' - tag rid: 'SV-238272r653991_rule' - tag stig_id: 'UBTU-20-010156' - tag fix_id: 'F-41441r653990_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('truncate').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('truncate').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('truncate').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('truncate').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238273.rb b/controls/V-238273.rb deleted file mode 100644 index 75565fa..0000000 --- a/controls/V-238273.rb +++ /dev/null @@ -1,101 +0,0 @@ -# encoding: UTF-8 - -control 'V-238273' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the ftruncate system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"ftruncate\" system call. - - Check the configured audit rules with the following command: - - $ sudo auditctl -l | grep ftruncate - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"ftruncate\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238273' - tag rid: 'SV-238273r653994_rule' - tag stig_id: 'UBTU-20-010157' - tag fix_id: 'F-41442r653993_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('ftruncate').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('ftruncate').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('ftruncate').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('ftruncate').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238274.rb b/controls/V-238274.rb deleted file mode 100644 index 0cfb732..0000000 --- a/controls/V-238274.rb +++ /dev/null @@ -1,101 +0,0 @@ -# encoding: UTF-8 - -control 'V-238274' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the creat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"creat\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep creat - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"creat\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238274' - tag rid: 'SV-238274r653997_rule' - tag stig_id: 'UBTU-20-010158' - tag fix_id: 'F-41443r653996_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('creat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('creat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('creat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('creat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238275.rb b/controls/V-238275.rb deleted file mode 100644 index b4938f3..0000000 --- a/controls/V-238275.rb +++ /dev/null @@ -1,101 +0,0 @@ -# encoding: UTF-8 - -control 'V-238275' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the openat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"openat\" system call. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep openat - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F -auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F -auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"openat\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F -auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F -auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238275' - tag rid: 'SV-238275r654000_rule' - tag stig_id: 'UBTU-20-010159' - tag fix_id: 'F-41444r653999_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('openat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('openat').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('openat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('openat').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238276.rb b/controls/V-238276.rb deleted file mode 100644 index 91711f8..0000000 --- a/controls/V-238276.rb +++ /dev/null @@ -1,101 +0,0 @@ -# encoding: UTF-8 - -control 'V-238276' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the open_by_handle_at system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -unsuccessful attempts to use the \"open_by_handle_at\" system call. - - Check the configured audit rules with the following command: - - $ sudo auditctl -l | grep open_by_handle_at - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any unsuccessful -use of the \"open_by_handle_at\" system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F -auid>=1000 -F auid!=4294967295 -k perm_access - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F -auid>=1000 -F auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F -auid>=1000 -F auid!=4294967295 -k perm_access - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F -auid>=1000 -F auid!=4294967295 -k perm_access - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000474-GPOS-00219'] - tag gid: 'V-238276' - tag rid: 'SV-238276r654003_rule' - tag stig_id: 'UBTU-20-010160' - tag fix_id: 'F-41445r654002_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('open_by_handle_at').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end - end - describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('open_by_handle_at').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end -end - diff --git a/controls/V-238277.rb b/controls/V-238277.rb deleted file mode 100644 index 5ec89b2..0000000 --- a/controls/V-238277.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238277' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the sudo command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"sudo\" command. - - Check the configured audit rules with the following command: - - $ sudo auditctl -l | grep /usr/bin/sudo - - -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k -priv_cmd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"sudo\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F -auid!=4294967295 -k priv_cmd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238277' - tag rid: 'SV-238277r654006_rule' - tag stig_id: 'UBTU-20-010161' - tag fix_id: 'F-41446r654005_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/sudo' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238278.rb b/controls/V-238278.rb deleted file mode 100644 index abc2056..0000000 --- a/controls/V-238278.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238278' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the sudoedit command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"sudoedit\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep /usr/bin/sudoedit - - -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F -auid!=-1 -k priv_cmd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"sudoedit\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\": - - -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F -auid!=4294967295 -k priv_cmd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238278' - tag rid: 'SV-238278r654009_rule' - tag stig_id: 'UBTU-20-010162' - tag fix_id: 'F-41447r654008_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/sudoedit' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238279.rb b/controls/V-238279.rb deleted file mode 100644 index a9dd858..0000000 --- a/controls/V-238279.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238279' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chsh command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"chsh\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep chsh - - -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k -priv_cmd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Notes: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"chsh\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F -auid!=4294967295 -k priv_cmd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238279' - tag rid: 'SV-238279r654012_rule' - tag stig_id: 'UBTU-20-010163' - tag fix_id: 'F-41448r654011_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/chsh' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238280.rb b/controls/V-238280.rb deleted file mode 100644 index f92c2ec..0000000 --- a/controls/V-238280.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238280' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the newgrp command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"newgrp\" command. - - Check the configured audit rules with the following commands: - - $ sudo auditctl -l | grep newgrp - - -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 --k priv_cmd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"newgrp\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F -auid!=4294967295 -k priv_cmd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238280' - tag rid: 'SV-238280r654015_rule' - tag stig_id: 'UBTU-20-010164' - tag fix_id: 'F-41449r654014_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/newgrp' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238281.rb b/controls/V-238281.rb deleted file mode 100644 index 8f13399..0000000 --- a/controls/V-238281.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238281' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chcon command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"chcon\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep chcon - - -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 --k perm_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"chcon\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F -auid!=4294967295 -k perm_chng - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238281' - tag rid: 'SV-238281r654018_rule' - tag stig_id: 'UBTU-20-010165' - tag fix_id: 'F-41450r654017_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/chcon' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238282.rb b/controls/V-238282.rb deleted file mode 100644 index 0cfd998..0000000 --- a/controls/V-238282.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238282' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the apparmor_parser command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"apparmor_parser\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep apparmor_parser - - -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F -auid!=-1 -k perm_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"apparmor_parser\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F -auid!=4294967295 -k perm_chng - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238282' - tag rid: 'SV-238282r654021_rule' - tag stig_id: 'UBTU-20-010166' - tag fix_id: 'F-41451r654020_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/sbin/apparmor_parser' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238283.rb b/controls/V-238283.rb deleted file mode 100644 index 552304a..0000000 --- a/controls/V-238283.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238283' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the setfacl command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"setfacl\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep setfacl - - -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 --k perm_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"setfacl\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F -auid!=4294967295 -k perm_chng - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238283' - tag rid: 'SV-238283r654024_rule' - tag stig_id: 'UBTU-20-010167' - tag fix_id: 'F-41452r654023_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/setfacl' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238284.rb b/controls/V-238284.rb deleted file mode 100644 index 6e9e9c5..0000000 --- a/controls/V-238284.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238284' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chacl command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful attempts to use the \"chacl\" command. - - Check the currently configured audit rules with the following command: - - $ sudo audtctl -l | grep chacl - - -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 --k perm_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"chacl\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F -auid!=4294967295 -k perm_chng - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238284' - tag rid: 'SV-238284r654027_rule' - tag stig_id: 'UBTU-20-010168' - tag fix_id: 'F-41453r654026_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/chacl' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238285.rb b/controls/V-238285.rb deleted file mode 100644 index d8f9e86..0000000 --- a/controls/V-238285.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: UTF-8 - -control 'V-238285' do - title "The Ubuntu operating system must generate audit records for the use -and modification of the tallylog file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful modifications to the \"tallylog\" file. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep tallylog - - -w /var/log/tallylog -p wa -k logins - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful modifications to the \"tallylog\" file. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/tallylog -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000470-GPOS-00214', -'SRG-OS-000473-GPOS-00218'] - tag gid: 'V-238285' - tag rid: 'SV-238285r654030_rule' - tag stig_id: 'UBTU-20-010169' - tag fix_id: 'F-41454r654029_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/var/log/tallylog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238286.rb b/controls/V-238286.rb deleted file mode 100644 index 96852b6..0000000 --- a/controls/V-238286.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: UTF-8 - -control 'V-238286' do - title "The Ubuntu operating system must generate audit records for the use -and modification of faillog file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record upon -successful/unsuccessful modifications to the \"faillog\" file. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep faillog - - -w /var/log/faillog -p wa -k logins - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful modifications to the \"faillog\" file. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/faillog -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000470-GPOS-00214', -'SRG-OS-000473-GPOS-00218'] - tag gid: 'V-238286' - tag rid: 'SV-238286r654033_rule' - tag stig_id: 'UBTU-20-010170' - tag fix_id: 'F-41455r654032_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/var/log/faillog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238287.rb b/controls/V-238287.rb deleted file mode 100644 index 696e22b..0000000 --- a/controls/V-238287.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: UTF-8 - -control 'V-238287' do - title "The Ubuntu operating system must generate audit records for the use -and modification of the lastlog file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record when -successful/unsuccessful modifications to the \"lastlog\" file occur. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep lastlog - - -w /var/log/lastlog -p wa -k logins - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful modifications to the \"lastlog\" file. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/lastlog -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000470-GPOS-00214', -'SRG-OS-000473-GPOS-00218'] - tag gid: 'V-238287' - tag rid: 'SV-238287r654036_rule' - tag stig_id: 'UBTU-20-010171' - tag fix_id: 'F-41456r654035_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/var/log/lastlog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238288.rb b/controls/V-238288.rb deleted file mode 100644 index 3a3eb3c..0000000 --- a/controls/V-238288.rb +++ /dev/null @@ -1,81 +0,0 @@ -# encoding: UTF-8 - -control 'V-238288' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the passwd command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"passwd\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w passwd - - -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-passwd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"passwd\" command. - - Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F -auid!=4294967295 -k privileged-passwd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238288' - tag rid: 'SV-238288r654039_rule' - tag stig_id: 'UBTU-20-010172' - tag fix_id: 'F-41457r654038_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/passwd' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238289.rb b/controls/V-238289.rb deleted file mode 100644 index da71b00..0000000 --- a/controls/V-238289.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238289' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the unix_update command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"unix_update\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w unix_update - - -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F -auid!=-1 -k privileged-unix-update - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"unix_update\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-unix-update - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238289' - tag rid: 'SV-238289r654042_rule' - tag stig_id: 'UBTU-20-010173' - tag fix_id: 'F-41458r654041_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/sbin/unix_update' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238290.rb b/controls/V-238290.rb deleted file mode 100644 index 1a511c6..0000000 --- a/controls/V-238290.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238290' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the gpasswd command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"gpasswd\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w gpasswd - - -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-gpasswd - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"gpasswd\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-gpasswd - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238290' - tag rid: 'SV-238290r654045_rule' - tag stig_id: 'UBTU-20-010174' - tag fix_id: 'F-41459r654044_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/gpasswd' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238291.rb b/controls/V-238291.rb deleted file mode 100644 index d220f47..0000000 --- a/controls/V-238291.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238291' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the chage command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"chage\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w chage - - -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-chage - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"chage\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-chage - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238291' - tag rid: 'SV-238291r654048_rule' - tag stig_id: 'UBTU-20-010175' - tag fix_id: 'F-41460r654047_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/chage' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238292.rb b/controls/V-238292.rb deleted file mode 100644 index 6a1d2fb..0000000 --- a/controls/V-238292.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238292' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the usermod command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"usermod\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w usermod - - -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F -auid!=-1 -k privileged-usermod - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"usermod\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-usermod - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238292' - tag rid: 'SV-238292r654051_rule' - tag stig_id: 'UBTU-20-010176' - tag fix_id: 'F-41461r654050_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/sbin/usermod' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238293.rb b/controls/V-238293.rb deleted file mode 100644 index ce6445c..0000000 --- a/controls/V-238293.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238293' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the crontab command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"crontab\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w crontab - - -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 --k privileged-crontab - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"crontab\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F -auid!=4294967295 -k privileged-crontab - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238293' - tag rid: 'SV-238293r654054_rule' - tag stig_id: 'UBTU-20-010177' - tag fix_id: 'F-41462r654053_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/bin/crontab' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238294.rb b/controls/V-238294.rb deleted file mode 100644 index 47717a6..0000000 --- a/controls/V-238294.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238294' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the pam_timestamp_check command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify that an audit event is generated for any successful/unsuccessful use -of the \"pam_timestamp_check\" command. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w pam_timestamp_check - - -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful uses of the \"pam_timestamp_check\" command. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F -auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238294' - tag rid: 'SV-238294r654057_rule' - tag stig_id: 'UBTU-20-010178' - tag fix_id: 'F-41463r654056_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/usr/sbin/pam_timestamp_check' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238295.rb b/controls/V-238295.rb deleted file mode 100644 index 7987d01..0000000 --- a/controls/V-238295.rb +++ /dev/null @@ -1,81 +0,0 @@ -# encoding: UTF-8 - -control 'V-238295' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the init_module syscall." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"init_module\" syscall. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w init_module - - -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=-1 -k -module_chng - -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=-1 -k -module_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"init_module\" syscall. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 --k module_chng - -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 --k module_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000471-GPOS-00216'] - tag gid: 'V-238295' - tag rid: 'SV-238295r654060_rule' - tag stig_id: 'UBTU-20-010179' - tag fix_id: 'F-41464r654059_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('init_module').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('init_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238296.rb b/controls/V-238296.rb deleted file mode 100644 index b2cf9c1..0000000 --- a/controls/V-238296.rb +++ /dev/null @@ -1,81 +0,0 @@ -# encoding: UTF-8 - -control 'V-238296' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the finit_module syscall." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"finit_module\" syscall. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w finit_module - - -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k -module_chng - -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k -module_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"finit_module\" syscall. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag satisfies: ['SRG-OS-000064-GPOS-00033', 'SRG-OS-000477-GPOS-00222'] - tag gid: 'V-238296' - tag rid: 'SV-238296r654063_rule' - tag stig_id: 'UBTU-20-010180' - tag fix_id: 'F-41465r654062_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('finit_module').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('finit_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238297.rb b/controls/V-238297.rb deleted file mode 100644 index 024c2c0..0000000 --- a/controls/V-238297.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238297' do - title "The Ubuntu operating system must generate audit records for -successful/unsuccessful uses of the delete_module syscall." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"delete_module\" syscall. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -w delete_module - - -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k -module_chng - -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k -module_chng - - If the command does not return a line that matches the example or the line -is commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate an audit event for any -successful/unsuccessful use of the \"delete_module\" syscall. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000064-GPOS-00033' - tag gid: 'V-238297' - tag rid: 'SV-238297r654066_rule' - tag stig_id: 'UBTU-20-010181' - tag fix_id: 'F-41466r654065_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('delete_module').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('delete_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238298.rb b/controls/V-238298.rb deleted file mode 100644 index fc673c7..0000000 --- a/controls/V-238298.rb +++ /dev/null @@ -1,111 +0,0 @@ -# encoding: UTF-8 - -control 'V-238298' do - title "The Ubuntu operating system must produce audit records and reports -containing information to establish when, where, what type, the source, and the -outcome for all DoD-defined auditable events and actions in near real time." - desc "Without establishing the when, where, type, source, and outcome of -events that occurred, it would be difficult to establish, correlate, and -investigate the events leading up to an outage or attack. - - Without the capability to generate audit records, it would be difficult to -establish, correlate, and investigate the events relating to an incident or -identify those responsible for one. - - Audit record content that may be necessary to satisfy this requirement -includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, -filenames involved, and access control or flow control rules invoked. - - Reconstruction of harmful events or forensic analysis is not possible if -audit records do not contain enough information. - - Successful incident response and auditing relies on timely, accurate system -information and analysis in order to allow the organization to identify and -respond to potential incidents in a proficient manner. If the operating system -does not provide the ability to centrally review the operating system logs, -forensic analysis is negatively impacted. - - Associating event types with detected events in the Ubuntu operating system -audit logs provides a means of investigating an attack; recognizing resource -utilization or capacity thresholds; or identifying an improperly configured -operating system. - - - " - desc 'rationale', '' - desc 'check', " - Verify the audit service is configured to produce audit records with the -following command: - - $ dpkg -l | grep auditd - - If the \"auditd\" package is not installed, this is a finding. - - Verify the audit service is enabled with the following command: - - $ systemctl is-enabled auditd.service - - If the command above returns \"disabled\", this is a finding. - - Verify the audit service is properly running and active on the system with -the following command: - - $ systemctl is-active auditd.service - active - - If the command above returns \"inactive\", this is a finding. - " - desc 'fix', " - Configure the audit service to produce audit records containing the -information needed to establish when (date and time) an event occurred. - - Install the audit service (if the audit service is not already installed) -with the following command: - - $ sudo apt-get install auditd - - Enable the audit service with the following command: - - $ sudo systemctl enable auditd.service - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000122-GPOS-00063' - tag satisfies: ['SRG-OS-000122-GPOS-00063', 'SRG-OS-000037-GPOS-00015', -'SRG-OS-000038-GPOS-00016', 'SRG-OS-000039-GPOS-00017', -'SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', -'SRG-OS-000042-GPOS-00020', 'SRG-OS-000042-GPOS-00021', -'SRG-OS-000051-GPOS-00024', 'SRG-OS-000054-GPOS-00025', -'SRG-OS-000062-GPOS-00031', 'SRG-OS-000337-GPOS-00129', -'SRG-OS-000348-GPOS-00136', 'SRG-OS-000349-GPOS-00137', -'SRG-OS-000350-GPOS-00138', 'SRG-OS-000351-GPOS-00139', -'SRG-OS-000352-GPOS-00140', 'SRG-OS-000353-GPOS-00141', -'SRG-OS-000354-GPOS-00142', 'SRG-OS-000475-GPOS-00220'] - tag gid: 'V-238298' - tag rid: 'SV-238298r654069_rule' - tag stig_id: 'UBTU-20-010182' - tag fix_id: 'F-41467r654068_fix' - tag cci: ['CCI-000130', 'CCI-000131', 'CCI-000132', 'CCI-000133', -'CCI-000134', 'CCI-000135', 'CCI-000154', 'CCI-000158', 'CCI-000169', -'CCI-000172', 'CCI-001875', 'CCI-001876', 'CCI-001877', 'CCI-001878', -'CCI-001879', 'CCI-001880', 'CCI-001881', 'CCI-001882', 'CCI-001914'] - tag legacy: [] - tag nist: ['AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3', 'AU-3 (1)', 'AU-6 (4)', -'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 a', 'AU-7 a', 'AU-7 a', "AU-7 -a", 'AU-7 a', 'AU-7 b', 'AU-7 b', 'AU-12 (3)'] - -describe package('auditd') do - it { should be_installed } -end -describe service('auditd') do - it { should be_installed } - it { should be_enabled } - it { should be_running } -end -end - diff --git a/controls/V-238299.rb b/controls/V-238299.rb deleted file mode 100644 index f774e72..0000000 --- a/controls/V-238299.rb +++ /dev/null @@ -1,56 +0,0 @@ -# encoding: UTF-8 - -control 'V-238299' do - title "The Ubuntu operating system must initiate session audits at system -start-up." - desc "If auditing is enabled late in the start-up process, the actions of -some start-up processes may not be audited. Some audit systems also maintain -state information only available if auditing is enabled before a given process -is created." - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system enables auditing at system startup. - - - Verify that the auditing is enabled in grub with the following command: - - $ sudo grep \"^\\s*linux\" /boot/grub/grub.cfg - - linux /boot/vmlinuz-5.4.0-31-generic -root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 - linux /boot/vmlinuz-5.4.0-31-generic -root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro recovery nomodeset audit=1 - - If any linux lines do not contain \"audit=1\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to produce audit records at system -startup. - - Edit the \"/etc/default/grub\" file and add \"audit=1\" to the -\"GRUB_CMDLINE_LINUX\" option. - - To update the grub config file, run: - - $ sudo update-grub - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000254-GPOS-00095' - tag gid: 'V-238299' - tag rid: 'SV-238299r654072_rule' - tag stig_id: 'UBTU-20-010198' - tag fix_id: 'F-41468r654071_fix' - tag cci: ['CCI-001464'] - tag legacy: [] - tag nist: ['AU-14 (1)'] - - grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries - - grub_entries.each do |entry| - describe entry do - it { should include "audit=1" } - end - end -end - diff --git a/controls/V-238300.rb b/controls/V-238300.rb deleted file mode 100644 index 67330b3..0000000 --- a/controls/V-238300.rb +++ /dev/null @@ -1,72 +0,0 @@ -# encoding: UTF-8 - -control 'V-238300' do - title "The Ubuntu operating system must configure audit tools with a mode of -0755 or less permissive." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user enjoys in order to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system configures the audit tools to have a -file permission of 0755 or less to prevent unauthorized access by running the -following command: - - $ stat -c \"%n %a\" /sbin/auditctl /sbin/aureport /sbin/ausearch -/sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - - /sbin/auditctl 755 - /sbin/aureport 755 - /sbin/ausearch 755 - /sbin/autrace 755 - /sbin/auditd 755 - /sbin/audispd 755 - /sbin/augenrules 755 - - If any of the audit tools have a mode more permissive than 0755, this is a -finding. - " - desc 'fix', " - Configure the audit tools on the Ubuntu operating system to be protected -from unauthorized access by setting the correct permissive mode using the -following command: - - $ sudo chmod 0755 [audit_tool] - - Replace \"[audit_tool]\" with the audit tool that does not have the correct -permissions. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000256-GPOS-00097' - tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098'] - tag gid: 'V-238300' - tag rid: 'SV-238300r654075_rule' - tag stig_id: 'UBTU-20-010199' - tag fix_id: 'F-41469r654074_fix' - tag cci: ['CCI-001493', 'CCI-001494'] - tag legacy: [] - tag nist: ['AU-9', 'AU-9'] - - audit_tools = input('audit_tools') - - audit_tools.each do |tool| - describe file(tool) do - it { should_not be_more_permissive_than('0755') } - end - end -end - diff --git a/controls/V-238301.rb b/controls/V-238301.rb deleted file mode 100644 index 5843c80..0000000 --- a/controls/V-238301.rb +++ /dev/null @@ -1,71 +0,0 @@ -# encoding: UTF-8 - -control 'V-238301' do - title "The Ubuntu operating system must configure audit tools to be owned by -root." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user enjoys in order to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system configures the audit tools to be owned -by root to prevent any unauthorized access. - - Check the ownership by running the following command: - - $ stat -c \"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch -/sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - - /sbin/auditctl root - /sbin/aureport root - /sbin/ausearch root - /sbin/autrace root - /sbin/auditd root - /sbin/audispd root - /sbin/augenrules root - - If any of the audit tools are not owned by root, this is a finding. - " - desc 'fix', " - Configure the audit tools on the Ubuntu operating system to be protected -from unauthorized access by setting the file owner as root using the following -command: - - $ sudo chown root [audit_tool] - - Replace \"[audit_tool]\" with each audit tool not owned by root. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000256-GPOS-00097' - tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098'] - tag gid: 'V-238301' - tag rid: 'SV-238301r654078_rule' - tag stig_id: 'UBTU-20-010200' - tag fix_id: 'F-41470r654077_fix' - tag cci: ['CCI-001493', 'CCI-001494'] - tag legacy: [] - tag nist: ['AU-9', 'AU-9'] - - audit_tools = input('audit_tools') - - audit_tools.each do |tool| - describe file(tool) do - its('owner') { should cmp 'root' } - end - end -end - diff --git a/controls/V-238302.rb b/controls/V-238302.rb deleted file mode 100644 index 79f4d60..0000000 --- a/controls/V-238302.rb +++ /dev/null @@ -1,71 +0,0 @@ -# encoding: UTF-8 - -control 'V-238302' do - title "The Ubuntu operating system must configure the audit tools to be -group-owned by root." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user enjoys in order to make access decisions -regarding the access to audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system configures the audit tools to be -group-owned by root to prevent any unauthorized access. - - Check the group ownership by running the following command: - - $ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch -/sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules - - /sbin/auditctl root - /sbin/aureport root - /sbin/ausearch root - /sbin/autrace root - /sbin/auditd root - /sbin/audispd root - /sbin/augenrules root - - If any of the audit tools are not group-owned by root, this is a finding. - " - desc 'fix', " - Configure the audit tools on the Ubuntu operating system to be protected -from unauthorized access by setting the file group as root using the following -command: - - $ sudo chown :root [audit_tool] - - Replace \"[audit_tool]\" with each audit tool not group-owned by root. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000256-GPOS-00097' - tag satisfies: ['SRG-OS-000256-GPOS-00097', 'SRG-OS-000257-GPOS-00098'] - tag gid: 'V-238302' - tag rid: 'SV-238302r654081_rule' - tag stig_id: 'UBTU-20-010201' - tag fix_id: 'F-41471r654080_fix' - tag cci: ['CCI-001493', 'CCI-001494'] - tag legacy: [] - tag nist: ['AU-9', 'AU-9'] - - audit_tools = input('audit_tools') - - audit_tools.each do |tool| - describe file(tool) do - its('group') { should cmp 'root' } - end - end -end - diff --git a/controls/V-238303.rb b/controls/V-238303.rb deleted file mode 100644 index 79365c6..0000000 --- a/controls/V-238303.rb +++ /dev/null @@ -1,109 +0,0 @@ -# encoding: UTF-8 - -control 'V-238303' do - title "The Ubuntu operating system must use cryptographic mechanisms to -protect the integrity of audit tools." - desc "Protecting the integrity of the tools used for auditing purposes is a -critical step toward ensuring the integrity of audit information. Audit -information includes all information (e.g., audit records, audit settings, and -audit reports) needed to successfully audit information system activity. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - - It is not uncommon for attackers to replace the audit tools or inject code -into the existing tools with the purpose of providing the capability to hide or -erase system activity from the audit logs. - - To address this risk, audit tools must be cryptographically signed in order -to provide the capability to identify when the audit tools have been modified, -manipulated, or replaced. An example is a checksum hash of the file or files. - " - desc 'rationale', '' - desc 'check', " - Verify that Advanced Intrusion Detection Environment (AIDE) is properly -configured to use cryptographic mechanisms to protect the integrity of audit -tools. - - Check the selection lines that AIDE is configured to add/check with the -following command: - - $ egrep '(\\/sbin\\/(audit|au))' /etc/aide/aide.conf - - /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - - If any of the seven audit tools do not have appropriate selection lines, -this is a finding. - " - desc 'fix', " - Add or update the following selection lines for \"/etc/aide/aide.conf\" to -protect the integrity of the audit tools: - - # Audit Tools - /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000278-GPOS-00108' - tag gid: 'V-238303' - tag rid: 'SV-238303r654084_rule' - tag stig_id: 'UBTU-20-010205' - tag fix_id: 'F-41472r654083_fix' - tag cci: ['CCI-001496'] - tag legacy: [] - tag nist: ['AU-9 (3)'] - - aide_conf = aide_conf input('aide_conf_path') - - aide_conf_exists = aide_conf.exist? - - if aide_conf_exists - describe aide_conf.where { selection_line == '/sbin/auditctl' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/auditd' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/ausearch' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/aureport' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/autrace' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/audispd' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - - describe aide_conf.where { selection_line == '/sbin/augenrules' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } - end - else - describe 'aide.conf file exists' do - subject { aide_conf_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238304.rb b/controls/V-238304.rb deleted file mode 100644 index 4922bff..0000000 --- a/controls/V-238304.rb +++ /dev/null @@ -1,91 +0,0 @@ -# encoding: UTF-8 - -control 'V-238304' do - title "The Ubuntu operating system must prevent all software from executing -at higher privilege levels than users executing the software and the audit -system must be configured to audit the execution of privileged functions." - desc "In certain situations, software applications/programs need to execute -with elevated privileges to perform required functions. However, if the -privileges required for execution are at a higher level than the privileges -assigned to organizational users invoking such applications/programs, those -users are indirectly provided with greater privileges than assigned by the -organizations. - - Some programs and processes are required to operate at a higher privilege -level and therefore should be excluded from the organization-defined software -list after review. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system audits the execution of privilege -functions by auditing the \"execve\" system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep execve - - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv - - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv - - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv - - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to audit the execution of all -privileged functions. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv - - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv - - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv - - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000326-GPOS-00126' - tag satisfies: ['SRG-OS-000326-GPOS-00126', 'SRG-OS-000327-GPOS-00127'] - tag gid: 'V-238304' - tag rid: 'SV-238304r654087_rule' - tag stig_id: 'UBTU-20-010211' - tag fix_id: 'F-41473r654086_fix' - tag cci: ['CCI-002233', 'CCI-002234'] - tag legacy: [] - tag nist: ['AC-6 (8)', 'AC-6 (9)'] - - if os.arch == 'x86_64' - describe auditd.syscall('execve').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('execve').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238305.rb b/controls/V-238305.rb deleted file mode 100644 index a35d728..0000000 --- a/controls/V-238305.rb +++ /dev/null @@ -1,104 +0,0 @@ -# encoding: UTF-8 - -control 'V-238305' do - title "The Ubuntu operating system must allocate audit record storage -capacity to store at least one weeks' worth of audit records, when audit -records are not immediately sent to a central audit record storage facility." - desc "In order to ensure operating systems have a sufficient storage -capacity in which to write the audit logs, operating systems need to be able to -allocate audit record storage capacity. - - The task of allocating audit record storage capacity is usually performed -during initial installation of the operating system. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system allocates audit record storage capacity -to store at least one week's worth of audit records when audit records are not -immediately sent to a central audit record storage facility. - - Determine which partition the audit records are being written to with the -following command: - - $ sudo grep ^log_file /etc/audit/auditd.conf - log_file = /var/log/audit/audit.log - - Check the size of the partition that audit records are written to (with the -example being \"/var/log/audit/\") with the following command: - - $ sudo df –h /var/log/audit/ - /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit - - If the audit records are not written to a partition made specifically for -audit records (\"/var/log/audit\" is a separate partition), determine the -amount of space being used by other files in the partition with the following -command: - - $ sudo du –sh [audit_partition] - 1.8G /var/log/audit - - Note: The partition size needed to capture a week's worth of audit records -is based on the activity level of the system and the total storage capacity -available. In normal circumstances, 10.0 GB of storage space for audit records -will be sufficient. - - If the audit record partition is not allocated for sufficient storage -capacity, this is a finding. - " - desc 'fix', " - Allocate enough storage capacity for at least one week's worth of audit -records when audit records are not immediately sent to a central audit record -storage facility. - - If audit records are stored on a partition made specifically for audit -records, use the \"parted\" program to resize the partition with sufficient -space to contain one week's worth of audit records. - - If audit records are not stored on a partition made specifically for audit -records, a new partition with sufficient amount of space will need be to be -created. - - Set the auditd server to point to the mount point where the audit records -must be located: - - $ sudo sed -i -E 's@^(log_file\\s*=\\s*).*@\\1 /audit.log@' -/etc/audit/auditd.conf - - where is the aforementioned mount point. - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000341-GPOS-00132' - tag gid: 'V-238305' - tag rid: 'SV-238305r654090_rule' - tag stig_id: 'UBTU-20-010215' - tag fix_id: 'F-41474r654089_fix' - tag cci: ['CCI-001849'] - tag legacy: [] - tag nist: ['AU-4'] - - - log_file = auditd_conf.log_file - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - - if log_dir_exists - log_file_dir = File.dirname(log_file) - available_storage = filesystem(log_file_dir).free_kb - log_file_size = file(log_file).size - standard_audit_log_size = input('standard_audit_log_size') - describe ('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do - subject { log_file_size.to_i } - it { should be <= standard_audit_log_size } - end - describe ('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do - subject { available_storage.to_i } - it { should be > standard_audit_log_size } - end - else - describe ('Audit file/directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238306.rb b/controls/V-238306.rb deleted file mode 100644 index 89b814d..0000000 --- a/controls/V-238306.rb +++ /dev/null @@ -1,105 +0,0 @@ -# encoding: UTF-8 - -control 'V-238306' do - title "The Ubuntu operating system audit event multiplexor must be configured -to off-load audit logs onto a different system or storage media from the system -being audited." - desc "Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Off-loading is a common process in information systems with limited audit -storage capacity. - - - " - desc 'rationale', '' - desc 'check', " - Verify the audit event multiplexor is configured to offload audit records -to a different system or storage media from the system being audited. - - Check that audisp-remote plugin is installed: - - $ sudo dpkg -s audispd-plugins - - If status is \"not installed\", this is a finding. - - Check that the records are being offloaded to a remote server with the -following command: - - $ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf - - active = yes - - If \"active\" is not set to \"yes\", or the line is commented out, this is -a finding. - - Check that audisp-remote plugin is configured to send audit logs to a -different system: - - $ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf - - remote_server = 192.168.122.126 - - If the \"remote_server\" parameter is not set, is set with a local address, -or is set with an invalid address, this is a finding. - " - desc 'fix', " - Configure the audit event multiplexor to offload audit records to a -different system or storage media from the system being audited. - - Install the audisp-remote plugin: - - $ sudo apt-get install audispd-plugins -y - - Set the audisp-remote plugin as active by editing the -\"/etc/audisp/plugins.d/au-remote.conf\" file: - - $ sudo sed -i -E 's/active\\s*=\\s*no/active = yes/' -/etc/audisp/plugins.d/au-remote.conf - - Set the address of the remote machine by editing the -\"/etc/audisp/audisp-remote.conf\" file: - - $ sudo sed -i -E 's/(remote_server\\s*=).*/\\1 /' -/etc/audisp/audisp-remote.conf - - where must be substituted by the address of the remote server -receiving the audit log. - - Make the audit service reload its configuration files: - - $ sudo systemctl restart auditd.service - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000342-GPOS-00133' - tag satisfies: ['SRG-OS-000342-GPOS-00133', 'SRG-OS-000479-GPOS-00224'] - tag gid: 'V-238306' - tag rid: 'SV-238306r654093_rule' - tag stig_id: 'UBTU-20-010216' - tag fix_id: 'F-41475r654092_fix' - tag cci: ['CCI-001851'] - tag legacy: [] - tag nist: ['AU-4 (1)'] - - config_file = '/etc/audisp/plugins.d/au-remote.conf' - config_file_exists = file(config_file).exist? - audit_sp_remote_server= input("audit_sp_remote_server") - - describe package('audispd-plugins') do - it { should be_installed } - end - - if config_file_exists - describe parse_config_file(config_file) do - its('active') { should cmp 'yes' } - its('remote_server') { should cmp audit_sp_remote_server } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238307.rb b/controls/V-238307.rb deleted file mode 100644 index 10e3b72..0000000 --- a/controls/V-238307.rb +++ /dev/null @@ -1,105 +0,0 @@ -# encoding: UTF-8 - -control 'V-238307' do - title "The Ubuntu operating system must immediately notify the SA and ISSO -(at a minimum) when allocated audit record storage volume reaches 75% of the -repository maximum audit record storage capacity." - desc "If security personnel are not notified immediately when storage volume -reaches 75% utilization, they are unable to plan for audit record storage -capacity expansion." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) -when allocated audit record storage volume reaches 75% of the repository -maximum audit record storage capacity with the following command: - - $ sudo grep ^space_left_action /etc/audit/auditd.conf - - space_left_action email - - $ sudo grep ^space_left /etc/audit/auditd.conf - - space_left 250000 - - If the \"space_left\" parameter is missing, set to blanks, or set to a -value less than 25% of the space free in the allocated audit record storage, -this is a finding. - - If the \"space_left_action\" parameter is missing or set to blanks, this is -a finding. - - If the \"space_left_action\" is set to \"syslog\", the system logs the -event but does not generate a notification, and this is a finding. - - If the \"space_left_action\" is set to \"exec\", the system executes a -designated script. If this script informs the SA of the event, this is not a -finding. - - If the \"space_left_action\" is set to \"email\", check the value of the -\"action_mail_acct\" parameter with the following command: - - $ sudo grep ^action_mail_acct /etc/audit/auditd.conf - - action_mail_acct root@localhost - - The \"action_mail_acct\" parameter, if missing, defaults to \"root\". If -the \"action_mail_acct parameter\" is not set to the email address of the SA(s) -and/or ISSO, this is a finding. - - Note: If the email address of the System Administrator - is on a remote system, a mail package must be available. - " - desc 'fix', " - Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter -to \"exec\" or \"email\". - - If the \"space_left_action\" parameter is set to \"email\", set the -\"action_mail_acct\" parameter to an email address for the SA and ISSO. - - If the \"space_left_action\" parameter is set to \"exec\", ensure the -command being executed notifies the SA and ISSO. - - Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be -at least 25% of the repository maximum audit record storage capacity. - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000343-GPOS-00134' - tag gid: 'V-238307' - tag rid: 'SV-238307r654096_rule' - tag stig_id: 'UBTU-20-010217' - tag fix_id: 'F-41476r654095_fix' - tag cci: ['CCI-001855'] - tag legacy: [] - tag nist: ['AU-5 (1)'] - - log_file = auditd_conf.log_file - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - - if log_dir_exists - email_to_notify = input('action_mail_acct') - - partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i - system_alert_configuration_mb = auditd_conf.space_left.to_i - - describe 'The space_left configuration' do - subject { system_alert_configuration_mb } - it { should >= partition_threshold_mb } - end - describe 'The space_left_action configuration' do - subject { auditd_conf.space_left_action } - it { should eq "email" } - end - - describe 'The action_mail_acct configuration' do - subject { auditd_conf.action_mail_acct } - it { should eq email_to_notify } - end - else - describe ('Audit file/directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238308.rb b/controls/V-238308.rb deleted file mode 100644 index cfedb90..0000000 --- a/controls/V-238308.rb +++ /dev/null @@ -1,48 +0,0 @@ -# encoding: UTF-8 - -control 'V-238308' do - title "The Ubuntu operating system must record time stamps for audit records -that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time -(GMT)." - desc "If time stamps are not consistently applied and there is no common -time reference, it is difficult to perform forensic analysis. - - Time stamps generated by the operating system include date and time. Time -is commonly expressed in Coordinated Universal Time (UTC), a modern -continuation of Greenwich Mean Time (GMT), or local time with an offset from -UTC. - " - desc 'rationale', '' - desc 'check', " - To verify the time zone is configured to use UTC or GMT, run the following -command. - - $ timedatectl status | grep -i \"time zone\" - Timezone: UTC (UTC, +0000) - - If \"Timezone\" is not set to UTC or GMT, this is a finding. - " - desc 'fix', " - To configure the system time zone to use UTC or GMT, run the following -command, replacing [ZONE] with UTC or GMT: - - $ sudo timedatectl set-timezone [ZONE] - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000359-GPOS-00146' - tag gid: 'V-238308' - tag rid: 'SV-238308r654099_rule' - tag stig_id: 'UBTU-20-010230' - tag fix_id: 'F-41477r654098_fix' - tag cci: ['CCI-001890'] - tag legacy: [] - tag nist: ['AU-8 b'] - - time_zone = command('timedatectl status | grep -i "time zone"').stdout.strip - - describe time_zone do - it { should match 'UTC' } - end -end - diff --git a/controls/V-238309.rb b/controls/V-238309.rb deleted file mode 100644 index a56f533..0000000 --- a/controls/V-238309.rb +++ /dev/null @@ -1,96 +0,0 @@ -# encoding: UTF-8 - -control 'V-238309' do - title "The Ubuntu operating system must generate audit records for privileged -activities, nonlocal maintenance, diagnostic sessions and other system-level -access." - desc "If events associated with nonlocal administrative access or diagnostic -sessions are not logged, a major tool for assessing and investigating attacks -would not be available. - - This requirement addresses auditing-related issues associated with -maintenance tools used specifically for diagnostic and repair actions on -organizational information systems. - - Nonlocal maintenance and diagnostic activities are those activities -conducted by individuals communicating through a network, either an external -network (e.g., the internet) or an internal network. Local maintenance and -diagnostic activities are those activities carried out by individuals -physically present at the information system or information system component -and not communicating across a network connection. - - This requirement applies to hardware/software diagnostic test equipment or -tools. This requirement does not cover hardware/software components that may -support information system maintenance, yet are a part of the system, for -example, the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the -hardware and software implementing the monitoring port of an Ethernet switch. - - - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system audits activities performed during -nonlocal maintenance and diagnostic sessions. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep sudo.log - - -w /var/log/sudo.log -p wa -k maintenance - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to audit activities performed during -nonlocal maintenance and diagnostic sessions. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/sudo.log -p wa -k maintenance - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000392-GPOS-00172' - tag satisfies: ['SRG-OS-000392-GPOS-00172', 'SRG-OS-000471-GPOS-00215'] - tag gid: 'V-238309' - tag rid: 'SV-238309r654102_rule' - tag stig_id: 'UBTU-20-010244' - tag fix_id: 'F-41478r654101_fix' - tag cci: ['CCI-000172', 'CCI-002884'] - tag legacy: [] - tag nist: ['AU-12 c', 'MA-4 (1) (a)'] - - @audit_file = "/var/log/sudo.log" - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include "w" } - it { should include "a" } - end - end - else - describe ("Audit line(s) for " + @audit_file + " exist") do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238310.rb b/controls/V-238310.rb deleted file mode 100644 index af542ba..0000000 --- a/controls/V-238310.rb +++ /dev/null @@ -1,76 +0,0 @@ -# encoding: UTF-8 - -control 'V-238310' do - title "The Ubuntu operating system must generate audit records for any -successful/unsuccessful use of unlink system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of unlink system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep unlink - - -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete - -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events for any -successful/unsuccessful use of unlink system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b64 -S unlink -Fauid>=1000 -F auid!=4294967295 -k -delete - -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k -delete - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000468-GPOS-00212' - tag gid: 'V-238310' - tag rid: 'SV-238310r654105_rule' - tag stig_id: 'UBTU-20-010267' - tag fix_id: 'F-41479r654104_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("unlink").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("unlink").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238311.rb b/controls/V-238311.rb deleted file mode 100644 index b6139ed..0000000 --- a/controls/V-238311.rb +++ /dev/null @@ -1,76 +0,0 @@ -# encoding: UTF-8 - -control 'V-238311' do - title "The Ubuntu operating system must generate audit records for any -successful/unsuccessful use of unlinkat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of unlinkat system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep unlinkat - - -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete - -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events for any -successful/unsuccessful use of the unlinkat system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b64 -S unlinkat -Fauid>=1000 -F auid!=4294967295 -k -delete - -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k -delete - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000468-GPOS-00212' - tag gid: 'V-238311' - tag rid: 'SV-238311r654108_rule' - tag stig_id: 'UBTU-20-010268' - tag fix_id: 'F-41480r654107_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("unlinkat").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("unlinkat").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238312.rb b/controls/V-238312.rb deleted file mode 100644 index 295c119..0000000 --- a/controls/V-238312.rb +++ /dev/null @@ -1,76 +0,0 @@ -# encoding: UTF-8 - -control 'V-238312' do - title "The Ubuntu operating system must generate audit records for any -successful/unsuccessful use of rename system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of rename system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep rename - - -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete - -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events for any -successful/unsuccessful use of the rename system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b64 -S rename -Fauid>=1000 -F auid!=4294967295 -k -delete - -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k -delete - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000468-GPOS-00212' - tag gid: 'V-238312' - tag rid: 'SV-238312r654111_rule' - tag stig_id: 'UBTU-20-010269' - tag fix_id: 'F-41481r654110_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("rename").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("rename").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238313.rb b/controls/V-238313.rb deleted file mode 100644 index 4268835..0000000 --- a/controls/V-238313.rb +++ /dev/null @@ -1,76 +0,0 @@ -# encoding: UTF-8 - -control 'V-238313' do - title "The Ubuntu operating system must generate audit records for any -successful/unsuccessful use of renameat system call." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of renameat system call. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep renameat - - -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete - -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events for any -successful/unsuccessful use of the renameat system call. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b64 -S renameat -Fauid>=1000 -F auid!=4294967295 -k -delete - -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k -delete - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000468-GPOS-00212' - tag gid: 'V-238313' - tag rid: 'SV-238313r654114_rule' - tag stig_id: 'UBTU-20-010270' - tag fix_id: 'F-41482r654113_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == "x86_64" - describe auditd.syscall("renameat").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end - end - describe auditd.syscall("renameat").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } - end -end - diff --git a/controls/V-238314.rb b/controls/V-238314.rb deleted file mode 100644 index 7c41d5f..0000000 --- a/controls/V-238314.rb +++ /dev/null @@ -1,74 +0,0 @@ -# encoding: UTF-8 - -control 'V-238314' do - title "The Ubuntu operating system must generate audit records when loading -dynamic kernel modules." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates an audit record when adding -and deleting kernel modules. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep -delete_module - - always,exit -F arch=b32 -S delete_module -k modules - always,exit -F arch=b64 -S delete_module -k modules - - If the command does not return lines that matches the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events when adding and -deleting kernel modules. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - always,exit -F arch=b32 -S delete_module -k modules - always,exit -F arch=b64 -S delete_module -k modules - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000471-GPOS-00216' - tag gid: 'V-238314' - tag rid: 'SV-238314r654117_rule' - tag stig_id: 'UBTU-20-010276' - tag fix_id: 'F-41483r654116_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - #CHECK RULE, missing action - if os.arch == 'x86_64' - describe auditd.syscall('delete_module').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('delete_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238315.rb b/controls/V-238315.rb deleted file mode 100644 index 0272379..0000000 --- a/controls/V-238315.rb +++ /dev/null @@ -1,79 +0,0 @@ -# encoding: UTF-8 - -control 'V-238315' do - title "The Ubuntu operating system must generate audit records for the -/var/log/wtmp file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records showing start -and stop times for user access to the system via the \"/var/log/wtmp\" file. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep '/var/log/wtmp' - - -w /var/log/wtmp -p wa -k logins - - If the command does not return a line matching the example or the line is -commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events showing start and stop -times for user access via the \"/var/log/wtmp\" file. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/wtmp -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000472-GPOS-00217' - tag gid: 'V-238315' - tag rid: 'SV-238315r654120_rule' - tag stig_id: 'UBTU-20-010277' - tag fix_id: 'F-41484r654119_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = "/var/log/wtmp" - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include "w" } - it { should include "a" } - end - end - else - describe ("Audit line(s) for " + @audit_file + " exist") do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238316.rb b/controls/V-238316.rb deleted file mode 100644 index 503ea78..0000000 --- a/controls/V-238316.rb +++ /dev/null @@ -1,79 +0,0 @@ -# encoding: UTF-8 - -control 'V-238316' do - title "The Ubuntu operating system must generate audit records for the -/var/run/wtmp file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records showing start -and stop times for user access to the system via the \"/var/run/wtmp\" file. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep '/var/run/wtmp' - - -w /var/run/wtmp -p wa -k logins - - If the command does not return a line matching the example or the line is -commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events showing start and stop -times for user access via the \"/var/run/wtmp\" file. - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/run/wtmp -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000472-GPOS-00217' - tag gid: 'V-238316' - tag rid: 'SV-238316r654123_rule' - tag stig_id: 'UBTU-20-010278' - tag fix_id: 'F-41485r654122_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = "/var/run/wtmp" - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include "w" } - it { should include "a" } - end - end - else - describe ("Audit line(s) for " + @audit_file + " exist") do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238317.rb b/controls/V-238317.rb deleted file mode 100644 index 791ed27..0000000 --- a/controls/V-238317.rb +++ /dev/null @@ -1,79 +0,0 @@ -# encoding: UTF-8 - -control 'V-238317' do - title "The Ubuntu operating system must generate audit records for the -/var/log/btmp file." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system generates audit records showing start -and stop times for user access to the system via the \"/var/log/btmp\" file. - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep '/var/log/btmp' - - -w /var/log/btmp -p wa -k logins - - If the command does not return a line matching the example or the line is -commented out, this is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the audit system to generate audit events showing start and stop -times for user access via the \"/var/log/btmp file\". - - Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /var/log/btmp -p wa -k logins - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000472-GPOS-00217' - tag gid: 'V-238317' - tag rid: 'SV-238317r654126_rule' - tag stig_id: 'UBTU-20-010279' - tag fix_id: 'F-41486r654125_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = "/var/log/btmp" - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include "w" } - it { should include "a" } - end - end - else - describe ("Audit line(s) for " + @audit_file + " exist") do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238318.rb b/controls/V-238318.rb deleted file mode 100644 index 195f366..0000000 --- a/controls/V-238318.rb +++ /dev/null @@ -1,76 +0,0 @@ -# encoding: UTF-8 - -control 'V-238318' do - title "The Ubuntu operating system must generate audit records when -successful/unsuccessful attempts to use modprobe command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify if the Ubuntu operating system is configured to audit the execution -of the module management program \"modprobe\" by running the following command: - - $ sudo auditctl -l | grep \"/sbin/modprobe\" - - -w /sbin/modprobe -p x -k modules - - If the command does not return a line, or the line is commented out, this -is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to audit the execution of the module -management program \"modprobe\". - - Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /sbin/modprobe -p x -k modules - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000477-GPOS-00222' - tag gid: 'V-238318' - tag rid: 'SV-238318r654129_rule' - tag stig_id: 'UBTU-20-010296' - tag fix_id: 'F-41487r654128_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/sbin/modprobe' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238319.rb b/controls/V-238319.rb deleted file mode 100644 index e3b98f2..0000000 --- a/controls/V-238319.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238319' do - title "The Ubuntu operating system must generate audit records when -successful/unsuccessful attempts to use the kmod command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to audit the execution of -the module management program \"kmod\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep kmod - - -w /bin/kmod -p x -k module - - If the command does not return a line, or the line is commented out, this -is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to audit the execution of the module -management program \"kmod\". - - Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /bin/kmod -p x -k modules - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000477-GPOS-00222' - tag gid: 'V-238319' - tag rid: 'SV-238319r654132_rule' - tag stig_id: 'UBTU-20-010297' - tag fix_id: 'F-41488r654131_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = '/bin/kmod' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include 'x' } - end - end - else - describe ('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238320.rb b/controls/V-238320.rb deleted file mode 100644 index 18d80b1..0000000 --- a/controls/V-238320.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238320' do - title "The Ubuntu operating system must generate audit records when -successful/unsuccessful attempts to use the fdisk command." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to audit the execution of -the partition management program \"fdisk\". - - Check the currently configured audit rules with the following command: - - $ sudo auditctl -l | grep fdisk - - -w /sbin/fdisk -p x -k fdisk - - If the command does not return a line, or the line is commented out, this -is a finding. - - Note: The \"-k\" allows for specifying an arbitrary identifier, and the -string after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to audit the execution of the -partition management program \"fdisk\". - - Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - - -w /bin/fdisk -p x -k fdisk - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000477-GPOS-00222' - tag gid: 'V-238320' - tag rid: 'SV-238320r654135_rule' - tag stig_id: 'UBTU-20-010298' - tag fix_id: 'F-41489r654134_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - @audit_file = "/sbin/fdisk" - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } - end - - @perms = auditd.file(@audit_file).permissions - - @perms.each do |perm| - describe perm do - it { should include "x" } - end - end - else - describe ("Audit line(s) for " + @audit_file + " exist") do - subject { audit_lines_exist } - it { should be true } - end - end -end - diff --git a/controls/V-238321.rb b/controls/V-238321.rb deleted file mode 100644 index 4fd04a3..0000000 --- a/controls/V-238321.rb +++ /dev/null @@ -1,62 +0,0 @@ -# encoding: UTF-8 - -control 'V-238321' do - title "The Ubuntu operating system must have a crontab script running weekly -to offload audit events of standalone systems." - desc "Information stored in one location is vulnerable to accidental or -incidental deletion or alteration. - - Offloading is a common process in information systems with limited audit -storage capacity. - " - desc 'rationale', '' - desc 'check', " - Note: If this is an interconnected system, this is Not Applicable. - - Verify there is a script that offloads audit data and that script runs -weekly. - - Check if there is a script in the \"/etc/cron.weekly\" directory that -offloads audit data: - - # sudo ls /etc/cron.weekly - - audit-offload - - Check if the script inside the file does offloading of audit logs to -external media. - - If the script file does not exist or does not offload audit logs, this is a -finding. - " - desc 'fix', " - Create a script that offloads audit logs to external media and runs weekly. - - The script must be located in the \"/etc/cron.weekly\" directory. - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000479-GPOS-00224' - tag gid: 'V-238321' - tag rid: 'SV-238321r654138_rule' - tag stig_id: 'UBTU-20-010300' - tag fix_id: 'F-41490r654137_fix' - tag cci: ['CCI-001851'] - tag legacy: [] - tag nist: ['AU-4 (1)'] - - cron_file = '/etc/cron.weekly/audit-offload' - cron_file_exists = file(cron_file).exist? - - if cron_file_exists - describe file(cron_file) do - its('content') { should_not be_empty } - end - else - describe cron_file + ' exists' do - subject { cron_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238322.rb b/controls/V-238322.rb deleted file mode 100644 index 1554af3..0000000 --- a/controls/V-238322.rb +++ /dev/null @@ -1,72 +0,0 @@ -# encoding: UTF-8 - -control 'V-238322' do - title "The Ubuntu operating system must generate records for -successful/unsuccessful uses of delete_module syscall." - desc "Without generating audit records that are specific to the security and -mission needs of the organization, it would be difficult to establish, -correlate, and investigate the events relating to an incident or identify those -responsible for one. - - Audit records can be generated from various components within the -information system (e.g., module or policy filter). - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to audit the -\"delete_module\" syscall by running the following command: - - $ sudo auditctl -l | egrep delete_module - - -a always,exit -F arch=b64 -S delete_module -F key=modules - -a always,exit -F arch=b32 -S delete_module -F key=modules - - If the command does not return lines that match the example or the lines -are commented out, this is a finding. - - Notes: - - For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. - - The \"-k\" allows for specifying an arbitrary identifier, and the string -after it does not need to match the example output above. - " - desc 'fix', " - Configure the Ubuntu operating system to generate an audit event for any -use of the \"delete_module\" system call. - - Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - - -a always,exit -F arch=b32 -S delete_module -F key=modules - -a always,exit -F arch=b64 -S delete_module -F key=modules - - Notes: For 32-bit architectures, only the 32-bit specific entries are -required. - - To reload the rules file, issue the following command: - - $ sudo augenrules --load - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000477-GPOS-00222' - tag gid: 'V-238322' - tag rid: 'SV-238322r654141_rule' - tag stig_id: 'UBTU-20-010302' - tag fix_id: 'F-41491r654140_fix' - tag cci: ['CCI-000172'] - tag legacy: [] - tag nist: ['AU-12 c'] - - if os.arch == 'x86_64' - describe auditd.syscall('delete_module').where { arch == 'b64' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end - end - describe auditd.syscall('delete_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end -end - diff --git a/controls/V-238323.rb b/controls/V-238323.rb deleted file mode 100644 index 4c992b2..0000000 --- a/controls/V-238323.rb +++ /dev/null @@ -1,54 +0,0 @@ -# encoding: UTF-8 - -control 'V-238323' do - title "The Ubuntu operating system must limit the number of concurrent -sessions to ten for all accounts and/or account types." - desc "The Ubuntu operating system management includes the ability to control -the number of users and user sessions that utilize an operating system. -Limiting the number of allowed users and sessions per user is helpful in -reducing the risks related to DoS attacks. - - This requirement addresses concurrent sessions for information system -accounts and does not address concurrent sessions by single users via multiple -system accounts. The maximum number of concurrent sessions should be defined -based upon mission needs and the operational environment for each system. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system limits the number of concurrent sessions -to 10 for all accounts and/or account types by running the following command: - - $ grep maxlogins /etc/security/limits.conf | grep -v '^* hard maxlogins' - - The result must contain the following line: - - * hard maxlogins 10 - - If the \"maxlogins\" item is missing or the value is not set to 10 or less -or is commented out, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to limit the number of concurrent -sessions to 10 for all accounts and/or account types. - - Add the following line to the top of the \"/etc/security/limits.conf\" -file: - - * hard maxlogins 10 - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000027-GPOS-00008' - tag gid: 'V-238323' - tag rid: 'SV-238323r654144_rule' - tag stig_id: 'UBTU-20-010400' - tag fix_id: 'F-41492r654143_fix' - tag cci: ['CCI-000054'] - tag legacy: [] - tag nist: ['AC-10'] - - describe limits_conf do - its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] } - end -end - diff --git a/controls/V-238324.rb b/controls/V-238324.rb deleted file mode 100644 index bdc074c..0000000 --- a/controls/V-238324.rb +++ /dev/null @@ -1,75 +0,0 @@ -# encoding: UTF-8 - -control 'V-238324' do - title 'The Ubuntu operating system must monitor remote access methods.' - desc "Remote access services, such as those providing remote access to -network devices and information systems, which lack automated monitoring -capabilities, increase risk and make remote user access management difficult at -best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - Automated monitoring of remote access sessions allows organizations to -detect cyber attacks and also ensure ongoing compliance with remote access -policies by auditing connection activities of remote access capabilities, such -as Remote Desktop Protocol (RDP), on a variety of information system components -(e.g., servers, workstations, notebook computers, smartphones, and tablets). - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system monitors all remote access methods. - - Check that remote access methods are being logged by running the following -command: - - $ grep -E -r '^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.* - /etc/rsyslog.d/50-default.conf:auth,authpriv.* -/var/log/auth.log - /etc/rsyslog.d/50-default.conf:daemon.notice -/var/log/messages - - If \"auth.*\", \"authpriv.*\", or \"daemon.*\" are not configured to be -logged in at least one of the config files, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to monitor all remote access methods -by adding the following lines to the \"/etc/rsyslog.d/50-default.conf\" file: - - auth.*,authpriv.* /var/log/secure - daemon.notice /var/log/messages - - For the changes to take effect, restart the \"rsyslog\" service with the -following command: - - $ sudo systemctl restart rsyslog.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000032-GPOS-00013' - tag gid: 'V-238324' - tag rid: 'SV-238324r654147_rule' - tag stig_id: 'UBTU-20-010403' - tag fix_id: 'F-41493r654146_fix' - tag cci: ['CCI-000067'] - tag legacy: [] - tag nist: ['AC-17 (1)'] - - options = { - assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/ - } - config_file = '/etc/rsyslog.d/50-default.conf' - auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*'] - daemon_setting = parse_config_file(config_file, options).params['daemon.notice'] - describe auth_setting do - it { should_not be_nil } - it { should_not be_empty } - end - describe daemon_setting do - it { should_not be_nil } - it { should_not be_empty } - end -end - diff --git a/controls/V-238325.rb b/controls/V-238325.rb deleted file mode 100644 index df36457..0000000 --- a/controls/V-238325.rb +++ /dev/null @@ -1,46 +0,0 @@ -# encoding: UTF-8 - -control 'V-238325' do - title "The Ubuntu operating system must encrypt all stored passwords with a -FIPS 140-2 approved cryptographic hashing algorithm." - desc "Passwords need to be protected at all times, and encryption is the -standard method for protecting passwords. If passwords are not encrypted, they -can be plainly read (i.e., clear text) and easily compromised." - desc 'rationale', '' - desc 'check', " - Verify that the shadow password suite configuration is set to encrypt -passwords with a FIPS 140-2 approved cryptographic hashing algorithm. - - Check the hashing algorithm that is being used to hash passwords with the -following command: - - $ cat /etc/login.defs | grep -i encrypt_method - - ENCRYPT_METHOD SHA512 - - If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to encrypt all stored passwords. - - Edit/modify the following line in the \"/etc/login.defs\" file and set -\"ENCRYPT_METHOD\" to SHA512: - - ENCRYPT_METHOD SHA512 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000120-GPOS-00061' - tag gid: 'V-238325' - tag rid: 'SV-238325r654150_rule' - tag stig_id: 'UBTU-20-010404' - tag fix_id: 'F-41494r654149_fix' - tag cci: ['CCI-000803'] - tag legacy: [] - tag nist: ['IA-7'] - - describe login_defs do - its('ENCRYPT_METHOD') { should eq 'SHA512' } - end -end - diff --git a/controls/V-238326.rb b/controls/V-238326.rb deleted file mode 100644 index 5c6bab6..0000000 --- a/controls/V-238326.rb +++ /dev/null @@ -1,39 +0,0 @@ -# encoding: UTF-8 - -control 'V-238326' do - title "The Ubuntu operating system must not have the telnet package -installed." - desc "Passwords need to be protected at all times, and encryption is the -standard method for protecting passwords. If passwords are not encrypted, they -can be plainly read (i.e., clear text) and easily compromised." - desc 'rationale', '' - desc 'check', " - Verify that the telnet package is not installed on the Ubuntu operating -system by running the following command: - - $ dpkg -l | grep telnetd - - If the package is installed, this is a finding. - " - desc 'fix', " - Remove the telnet package from the Ubuntu operating system by running the -following command: - - $ sudo apt-get remove telnetd - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000074-GPOS-00042' - tag gid: 'V-238326' - tag rid: 'SV-238326r654153_rule' - tag stig_id: 'UBTU-20-010405' - tag fix_id: 'F-41495r654152_fix' - tag cci: ['CCI-000197'] - tag legacy: [] - tag nist: ['IA-5 (1) (c)'] - - describe package('telnetd') do - it { should_not be_installed } - end -end - diff --git a/controls/V-238327.rb b/controls/V-238327.rb deleted file mode 100644 index ff0724a..0000000 --- a/controls/V-238327.rb +++ /dev/null @@ -1,51 +0,0 @@ -# encoding: UTF-8 - -control 'V-238327' do - title "The Ubuntu operating system must not have the rsh-server package -installed." - desc "It is detrimental for operating systems to provide, or install by -default, functionality exceeding requirements or mission objectives. These -unnecessary capabilities or services are often overlooked and therefore may -remain unsecured. They increase the risk to the platform by providing -additional attack vectors. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services, provided by default, may not be -necessary to support essential organizational operations (e.g., key missions, -functions). - - Examples of non-essential capabilities include, but are not limited to, -games, software packages, tools, and demonstration software, not related to -requirements or providing a wide array of functionality not required for every -mission, but which cannot be disabled. - " - desc 'rationale', '' - desc 'check', " - Verify the rsh-server package is installed with the following command: - - $ dpkg -l | grep rsh-server - - If the rsh-server package is installed, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to disable non-essential capabilities -by removing the rsh-server package from the system with the following command: - - $ sudo apt-get remove rsh-server - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000095-GPOS-00049' - tag gid: 'V-238327' - tag rid: 'SV-238327r654156_rule' - tag stig_id: 'UBTU-20-010406' - tag fix_id: 'F-41496r654155_fix' - tag cci: ['CCI-000381'] - tag legacy: [] - tag nist: ['CM-7 a'] - - describe package('rsh-server') do - it { should_not be_installed } - end -end - diff --git a/controls/V-238328.rb b/controls/V-238328.rb deleted file mode 100644 index 9c4b910..0000000 --- a/controls/V-238328.rb +++ /dev/null @@ -1,96 +0,0 @@ -# encoding: UTF-8 - -control 'V-238328' do - title "The Ubuntu operating system must be configured to prohibit or restrict -the use of functions, ports, protocols, and/or services, as defined in the PPSM -CAL and vulnerability assessments." - desc "In order to prevent unauthorized connection of devices, unauthorized -transfer of information, or unauthorized tunneling (i.e., embedding of data -types within data types), organizations must disable or restrict unused or -unnecessary physical and logical ports/protocols on information systems. - - Operating systems are capable of providing a wide variety of functions and -services. Some of the functions and services provided by default may not be -necessary to support essential organizational operations. Additionally, it is -sometimes convenient to provide multiple services from a single component -(e.g., VPN and IPS); however, doing so increases risk over limiting the -services provided by any one component. - - To support the requirements and principles of least functionality, the -operating system must support the organizational requirements, providing only -essential capabilities and limiting the use of ports, protocols, and/or -services to only those required, authorized, and approved to conduct official -business or to address authorized quality of life issues. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to prohibit or restrict -the use of functions, ports, protocols, and/or services as defined in the -Ports, Protocols, and Services Management (PPSM) Category Assignments List -(CAL) and vulnerability assessments. - - Check the firewall configuration for any unnecessary or prohibited -functions, ports, protocols, and/or services by running the following command: - - $ sudo ufw show raw - - Chain OUTPUT (policy ACCEPT) - target prot opt sources destination - Chain INPUT (policy ACCEPT 1 packets, 40 bytes) - pkts bytes target prot opt in out source -destination - - Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) - pkts bytes target prot opt in out source -destination - - Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) - pkts bytes target prot opt in out source -destination - - Ask the System Administrator - for the site or program PPSM CLSA. Verify the services allowed by the -firewall match the PPSM CLSA. - - If there are any additional ports, protocols, or services that are not -included in the PPSM CLSA, this is a finding. - - If there are any ports, protocols, or services that are prohibited by the -PPSM CAL, this is a finding. - " - desc 'fix', " - Add all ports, protocols, or services allowed by the PPSM CLSA by using the -following command: - - $ sudo ufw allow - - where the direction is \"in\" or \"out\" and the port is the one -corresponding to the protocol or service allowed. - - To deny access to ports, protocols, or services, use: - - $ sudo ufw deny - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000096-GPOS-00050' - tag gid: 'V-238328' - tag rid: 'SV-238328r654159_rule' - tag stig_id: 'UBTU-20-010407' - tag fix_id: 'F-41497r654158_fix' - tag cci: ['CCI-000382'] - tag legacy: [] - tag nist: ['CM-7 b'] - - ufw_status = command('ufw status').stdout.strip.lines.first - value = ufw_status.split(':')[1].strip - - describe 'UFW status' do - subject { value } - it { should cmp 'active' } - end - describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do - skip 'Status listings checks must be preformed manually' - end -end - diff --git a/controls/V-238329.rb b/controls/V-238329.rb deleted file mode 100644 index e8abbc3..0000000 --- a/controls/V-238329.rb +++ /dev/null @@ -1,69 +0,0 @@ -# encoding: UTF-8 - -control 'V-238329' do - title "The Ubuntu operating system must prevent direct login into the root -account." - desc "To assure individual accountability and prevent unauthorized access, -organizational users must be individually identified and authenticated. - - A group authenticator is a generic account used by multiple individuals. -Use of a group authenticator alone does not uniquely identify individual users. -Examples of the group authenticator is the UNIX OS \"root\" user account, the -Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" -account. - - For example, the UNIX and Windows operating systems offer a 'switch user' -capability allowing users to authenticate with their individual credentials -and, when needed, 'switch' to the administrator role. This method provides for -unique individual authentication prior to using a group authenticator. - - Users (and any processes acting on behalf of users) need to be uniquely -identified and authenticated for all accesses other than those accesses -explicitly identified and documented by the organization, which outlines -specific user actions that can be performed on the operating system without -identification or authentication. - - Requiring individuals to be authenticated with an individual authenticator -prior to using a group authenticator allows for traceability of actions, as -well as adding an additional level of protection of the actions that can be -taken with group account knowledge. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system prevents direct logins to the root -account with the following command: - - $ sudo passwd -S root - - root L 04/23/2020 0 99999 7 -1 - - If the output does not contain \"L\" in the second field to indicate the -account is locked, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to prevent direct logins to the root -account by performing the following operations: - - $ sudo passwd -l root - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000109-GPOS-00056' - tag gid: 'V-238329' - tag rid: 'SV-238329r654162_rule' - tag stig_id: 'UBTU-20-010408' - tag fix_id: 'F-41498r654161_fix' - tag cci: ['CCI-000770'] - tag legacy: [] - tag nist: ['IA-2 (5)'] - - describe.one do - describe shadow.where(user: 'root') do - its('passwords.uniq.first') { should eq '!*' } - end - end - describe command("passwd -S root").stdout.strip do - it { should match /^root\s+L\s+.*$/ } - end -end - diff --git a/controls/V-238330.rb b/controls/V-238330.rb deleted file mode 100644 index c44b64c..0000000 --- a/controls/V-238330.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238330' do - title "The Ubuntu operating system must disable account identifiers -(individuals, groups, roles, and devices) after 35 days of inactivity." - desc "Inactive identifiers pose a risk to systems and applications because -attackers may exploit an inactive identifier and potentially obtain undetected -access to the system. Owners of inactive accounts will not notice if -unauthorized access to their user account has been obtained. - - Operating systems need to track periods of inactivity and disable -application identifiers after 35 days of inactivity. - " - desc 'rationale', '' - desc 'check', " - Verify the account identifiers (individuals, groups, roles, and devices) -are disabled after 35 days of inactivity with the following command: - - Check the account inactivity value by performing the following command: - - $ sudo grep INACTIVE /etc/default/useradd - - INACTIVE=35 - - If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, -this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to disable account identifiers after -35 days of inactivity after the password expiration. - - Run the following command to change the configuration for adduser: - - $ sudo useradd -D -f 35 - - Note: DoD recommendation is 35 days, but a lower value is acceptable. The -value \"0\" will disable the account immediately after the password expires. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000118-GPOS-00060' - tag gid: 'V-238330' - tag rid: 'SV-238330r654165_rule' - tag stig_id: 'UBTU-20-010409' - tag fix_id: 'F-41499r654164_fix' - tag cci: ['CCI-000795'] - tag legacy: [] - tag nist: ['IA-4 e'] - - config_file = '/etc/default/useradd' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('INACTIVE') { should cmp > '0' } - its('INACTIVE') { should cmp <= 35 } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238331.rb b/controls/V-238331.rb deleted file mode 100644 index 1b690f7..0000000 --- a/controls/V-238331.rb +++ /dev/null @@ -1,59 +0,0 @@ -# encoding: UTF-8 - -control 'V-238331' do - title "The Ubuntu operating system must automatically remove or disable -emergency accounts after 72 hours." - desc "Emergency accounts are different from infrequently used accounts -(i.e., local logon accounts used by the organization's System Administrator - s when network or normal logon/access is not available). Infrequently used -accounts are not subject to automatic termination dates. Emergency accounts -are accounts created in response to crisis situations, usually for use by -maintenance personnel. The automatic expiration or disabling time period may be -extended as needed until the crisis is resolved; however, it must not be -extended indefinitely. A permanent account should be established for privileged -users who need long-term maintenance accounts. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system expires emergency accounts within 72 -hours or less. - - For every emergency account, run the following command to obtain its -account expiration information: - - $ sudo chage -l account_name | grep expires - - Password expires : Aug 07, 2019 - Account expires : Aug 07, 2019 - - Verify each of these accounts has an expiration date set within 72 hours of -account creation. - - If any of these accounts do not expire within 72 hours of that account's -creation, this is a finding. - " - desc 'fix', " - If an emergency account must be created, configure the system to terminate -the account after a 72-hour time period with the following command to set an -expiration date on it. Substitute \"account_name\" with the account to be -created. - - $ sudo chage -E $(date -d \"+3 days\" +%F) account_name - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000123-GPOS-00064' - tag gid: 'V-238331' - tag rid: 'SV-238331r654168_rule' - tag stig_id: 'UBTU-20-010410' - tag fix_id: 'F-41500r654167_fix' - tag cci: ['CCI-001682'] - tag legacy: [] - tag nist: ['AC-2 (2)'] - - describe 'Manual verification required' do - skip 'Manually verify if emergency account must be created - the system must terminate the account after a 72 hour time period.' - end -end - diff --git a/controls/V-238332.rb b/controls/V-238332.rb deleted file mode 100644 index 2a543a8..0000000 --- a/controls/V-238332.rb +++ /dev/null @@ -1,75 +0,0 @@ -# encoding: UTF-8 - -control 'V-238332' do - title "The Ubuntu operating system must set a sticky bit on all public -directories to prevent unauthorized and unintended information transferred via -shared system resources." - desc "Preventing unauthorized information transfers mitigates the risk of -information, including encrypted representations of information, produced by -the actions of prior users/roles (or the actions of processes acting on behalf -of prior users/roles) from being available to any current users/roles (or -current processes) that obtain access to shared system resources (e.g., -registers, main memory, hard disks) after those resources have been released -back to information systems. The control of information in shared resources is -also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information -technology product, but it can also apply to the configuration of particular -information system components that are, or use, such products. This can be -verified by acceptance/validation processes in DoD or other government -agencies. - - There may be shared resources with configurable protections (e.g., files in -storage) that may be assessed on specific information system components. - " - desc 'rationale', '' - desc 'check', " - Verify that all public (world-writeable) directories have the public sticky -bit set. - - Find world-writable directories that lack the sticky bit by running the -following command: - - $ sudo find / -type d -perm -002 ! -perm -1000 - - If any world-writable directories are found missing the sticky bit, this is -a finding. - " - desc 'fix', " - Configure all public directories to have the sticky bit set to prevent -unauthorized and unintended information transferred via shared system -resources. - - Set the sticky bit on all public directories using the following command, -replacing \"[Public Directory]\" with any directory path missing the sticky -bit: - - $ sudo chmod +t [Public Directory] - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000138-GPOS-00069' - tag gid: 'V-238332' - tag rid: 'SV-238332r654171_rule' - tag stig_id: 'UBTU-20-010411' - tag fix_id: 'F-41501r654170_fix' - tag cci: ['CCI-001090'] - tag legacy: [] - tag nist: ['SC-4'] - - lines = command('find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null').stdout.strip.split("\n").entries - if lines.count > 0 - lines.each do |line| - dir = line.strip - describe directory(dir) do - it { should be_sticky } - end - end - else - describe 'Sticky bit has been set on all world writable directories' do - subject { lines } - its('count') { should eq 0 } - end - end -end - diff --git a/controls/V-238333.rb b/controls/V-238333.rb deleted file mode 100644 index 3eb33f4..0000000 --- a/controls/V-238333.rb +++ /dev/null @@ -1,59 +0,0 @@ -# encoding: UTF-8 - -control 'V-238333' do - title 'The Ubuntu operating system must be configured to use TCP syncookies.' - desc "DoS is a condition when a resource is not available for legitimate -users. When this occurs, the organization either cannot accomplish its mission -or must operate at degraded capacity. - - Managing excess capacity ensures that sufficient capacity is available to -counter flooding attacks. Employing increased capacity and service redundancy -may reduce the susceptibility to some DoS attacks. Managing excess capacity may -include, for example, establishing selected usage priorities, quotas, or -partitioning. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is configured to use TCP syncookies. - - Check the value of TCP syncookies with the following command: - - $ sysctl net.ipv4.tcp_syncookies - net.ipv4.tcp_syncookies = 1 - - If the value is not \"1\", this is a finding. - - Check the saved value of TCP syncookies with the following command: - - $ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | -grep -v '#' - - If no output is returned, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to use TCP syncookies by running the -following command: - - $ sudo sysctl -w net.ipv4.tcp_syncookies=1 - - If \"1\" is not the system's default value, add or update the following -line in \"/etc/sysctl.conf\": - - net.ipv4.tcp_syncookies = 1 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000142-GPOS-00071' - tag gid: 'V-238333' - tag rid: 'SV-238333r654174_rule' - tag stig_id: 'UBTU-20-010412' - tag fix_id: 'F-41502r654173_fix' - tag cci: ['CCI-001095'] - tag legacy: [] - tag nist: ['SC-5 (2)'] - - describe kernel_parameter('net.ipv4.tcp_syncookies') do - its('value') { should cmp 1 } - end -end - diff --git a/controls/V-238334.rb b/controls/V-238334.rb deleted file mode 100644 index 3397421..0000000 --- a/controls/V-238334.rb +++ /dev/null @@ -1,59 +0,0 @@ -# encoding: UTF-8 - -control 'V-238334' do - title "The Ubuntu operating system must disable kernel core dumps so that it -can fail to a secure state if system initialization fails, shutdown fails or -aborts fail." - desc "Kernel core dumps may contain the full contents of system memory at -the time of the crash. Kernel core dumps may consume a considerable amount of -disk space and may result in denial of service by exhausting the available -space on the target file system partition." - desc 'rationale', '' - desc 'check', " - Verify that kernel core dumps are disabled unless needed. - - Check if \"kdump\" service is active with the following command: - - $ systemctl is-active kdump.service - inactive - - If the \"kdump\" service is active, ask the SA if the use of the service is -required and documented with the ISSO. - - If the service is active and is not documented, this is a finding. - " - desc 'fix', " - If kernel core dumps are not required, disable the \"kdump\" service with -the following command: - - $ sudo systemctl disable kdump.service - - If kernel core dumps are required, document the need with the ISSO. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000184-GPOS-00078' - tag gid: 'V-238334' - tag rid: 'SV-238334r654177_rule' - tag stig_id: 'UBTU-20-010413' - tag fix_id: 'F-41503r654176_fix' - tag cci: ['CCI-001190'] - tag legacy: [] - tag nist: ['SC-24'] - - is_kdump_required = input('is_kdump_required') - if is_kdump_required - describe service('kdump') do - it { should be_enabled } - it { should be_installed } - it { should be_running } - end - else - describe service('kdump') do - it { should_not be_enabled } - it { should_not be_installed } - it { should_not be_running } - end - end -end - diff --git a/controls/V-238335.rb b/controls/V-238335.rb deleted file mode 100644 index 3759eb4..0000000 --- a/controls/V-238335.rb +++ /dev/null @@ -1,74 +0,0 @@ -# encoding: UTF-8 - -control 'V-238335' do - title "Ubuntu operating systems handling data requiring \"data at rest\" -protections must employ cryptographic mechanisms to prevent unauthorized -disclosure and modification of the information at rest." - desc "Information at rest refers to the state of information when it is -located on a secondary storage device (e.g., disk drive and tape drive, when -used for backups) within an operating system. - - This requirement addresses protection of user-generated data, as well as -operating system-specific configuration data. Organizations may choose to -employ different mechanisms to achieve confidentiality and integrity -protections, as appropriate, in accordance with the security category and/or -classification of the information. - " - desc 'rationale', '' - desc 'check', " - If there is a documented and approved reason for not having data-at-rest -encryption, this requirement is Not Applicable. - - Verify the Ubuntu operating system prevents unauthorized disclosure or -modification of all information requiring at-rest protection by using disk -encryption. - - Determine the partition layout for the system with the following command: - - #sudo fdisk -l - (..) - Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors - Units: sectors of 1 * 512 = 512 bytes - Sector size (logical/physical): 512 bytes / 512 bytes - I/O size (minimum/optimal): 512 bytes / 512 bytes - Disklabel type: gpt - Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB - - Device Start End Sectors Size Type - /dev/vda1 2048 4095 2048 1M BIOS boot - /dev/vda2 4096 2101247 2097152 1G Linux filesystem - /dev/vda3 2101248 31455231 29353984 14G Linux filesystem - (...) - - Verify the system partitions are all encrypted with the following command: - - # more /etc/crypttab - - Every persistent disk partition present must have an entry in the file. - - If any partitions other than the boot partition or pseudo file systems -(such as /proc or /sys) are not listed, this is a finding. - " - desc 'fix', " - To encrypt an entire partition, dedicate a partition for encryption in the -partition layout. - - Note: Encrypting a partition in an already-installed system is more -difficult because it will need to be resized and existing partitions changed. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000185-GPOS-00079' - tag gid: 'V-238335' - tag rid: 'SV-238335r654180_rule' - tag stig_id: 'UBTU-20-010414' - tag fix_id: 'F-41504r654179_fix' - tag cci: ['CCI-001199'] - tag legacy: [] - tag nist: ['SC-28'] - - describe 'Not Applicable' do - skip 'Encryption of data at rest is handled by the IaaS' - end -end - diff --git a/controls/V-238336.rb b/controls/V-238336.rb deleted file mode 100644 index 22ee0e4..0000000 --- a/controls/V-238336.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238336' do - title "The Ubuntu operating system must deploy Endpoint Security for Linux -Threat Prevention (ENSLTP)." - desc "Without the use of automated mechanisms to scan for security flaws on -a continuous and/or periodic basis, the operating system or other system -components may remain vulnerable to the exploits presented by undetected -software flaws. - - To support this requirement, the operating system may have an integrated -solution incorporating continuous scanning using HBSS and periodic scanning -using other tools, as specified in the requirement. - " - desc 'rationale', '' - desc 'check', " - The Ubuntu operating system is not compliant with this requirement; hence, -it is a finding. However, the severity level can be mitigated to a CAT III if -the ENSLTP module is installed and running. - - Check that the \"mfetp\" package has been installed: - - # dpkg -l | grep mfetp - - If the \"mfetp\" package is not installed, this finding will remain as a -CAT II. - - Check that the daemon is running: - - # /opt/McAfee/ens/tp/init/mfetpd-control.sh status - - If the daemon is not running, this finding will remain as a CAT II. - " - desc 'fix', " - The Ubuntu operating system is not compliant with this requirement; -however, the severity level can be mitigated to a CAT III if the ENSLTP module -is installed and running. - - Configure the Ubuntu operating system to use ENSLTP. - - Install the \"mfetp\" package: - - # sudo apt-get install mfetp - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000191-GPOS-00080' - tag gid: 'V-238336' - tag rid: 'SV-238336r654183_rule' - tag stig_id: 'UBTU-20-010415' - tag fix_id: 'F-41505r654182_fix' - tag cci: ['CCI-001233'] - tag legacy: [] - tag nist: ['SI-2 (2)'] - - describe package('mfetp') do - it { should be_installed } - end - - describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do - its('exit_status') { should cmp 0 } - end - -end - diff --git a/controls/V-238337.rb b/controls/V-238337.rb deleted file mode 100644 index 3d91c09..0000000 --- a/controls/V-238337.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control 'V-238337' do - title "The Ubuntu operating system must generate error messages that provide -information necessary for corrective actions without revealing information that -could be exploited by adversaries." - desc " Any operating system providing too much information in error messages -risks compromising the data and security of the structure, and content of error -messages needs to be carefully considered by the organization. - - Organizations carefully consider the structure/content of error messages. -The extent to which information systems are able to identify and handle error -conditions is guided by organizational policy and operational requirements. -Information that could be exploited by adversaries includes, for example, -erroneous logon attempts with passwords entered by mistake as the username, -mission/business information that can be derived from (if not stated explicitly -by) information recorded, and personal information, such as account numbers, -social security numbers, and credit card numbers. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system has all system log files under the -\"/var/log\" directory with a permission set to 640 or less permissive by using -the following command: - - $ sudo find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\; - - If the command displays any output, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to set permissions of all log files -under the \"/var/log\" directory to 640 or more restricted by using the -following command: - - $ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000205-GPOS-00083' - tag gid: 'V-238337' - tag rid: 'SV-238337r654186_rule' - tag stig_id: 'UBTU-20-010416' - tag fix_id: 'F-41506r654185_fix' - tag cci: ['CCI-001312'] - tag legacy: [] - tag nist: ['SI-11 a'] - - log_files = command('find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;').stdout.strip.split("\n").entries - - describe "Number of log files found with a permission NOT set to 640" do - subject { log_files } - its("count") { should eq 0 } - end -end - diff --git a/controls/V-238338.rb b/controls/V-238338.rb deleted file mode 100644 index 58c406e..0000000 --- a/controls/V-238338.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238338' do - title "The Ubuntu operating system must configure the /var/log directory to -be group-owned by syslog." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system configures the \"/var/log\" -directory to be group-owned by syslog with the following command: - - $ sudo stat -c \"%n %G\" /var/log - /var/log syslog - - If the \"/var/log\" directory is not group-owned by syslog, this is a -finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have syslog group-own the -\"/var/log\" directory by running the following command: - - $ sudo chgrp syslog /var/log - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238338' - tag rid: 'SV-238338r654189_rule' - tag stig_id: 'UBTU-20-010417' - tag fix_id: 'F-41507r654188_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe directory('/var/log') do - its('group') { should cmp 'syslog' } - end -end - diff --git a/controls/V-238339.rb b/controls/V-238339.rb deleted file mode 100644 index f43b2cd..0000000 --- a/controls/V-238339.rb +++ /dev/null @@ -1,49 +0,0 @@ -# encoding: UTF-8 - -control 'V-238339' do - title "The Ubuntu operating system must configure the /var/log directory to -be owned by root." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system configures the \"/var/log\" directory to -be owned by root with the following command: - - $ sudo stat -c \"%n %U\" /var/log - /var/log root - - If the \"/var/log\" directory is not owned by root, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have root own the \"/var/log\" -directory by running the following command: - - $ sudo chown root /var/log - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238339' - tag rid: 'SV-238339r654192_rule' - tag stig_id: 'UBTU-20-010418' - tag fix_id: 'F-41508r654191_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe directory("/var/log") do - its("owner") { should cmp "root" } - end -end - diff --git a/controls/V-238340.rb b/controls/V-238340.rb deleted file mode 100644 index 73b95a7..0000000 --- a/controls/V-238340.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238340' do - title "The Ubuntu operating system must configure the /var/log directory to -have mode 0750 or less permissive." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system configures the \"/var/log\" -directory with a mode of 750 or less permissive with the following command: - - $ stat -c \"%n %a\" /var/log - - /var/log 750 - - If a value of \"750\" or less permissive is not returned, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have permissions of 0750 for the -\"/var/log\" directory by running the following command: - - $ sudo chmod 0750 /var/log - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238340' - tag rid: 'SV-238340r654195_rule' - tag stig_id: 'UBTU-20-010419' - tag fix_id: 'F-41509r654194_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe directory("/var/log") do - it { should_not be_more_permissive_than("0750") } - end -end - diff --git a/controls/V-238341.rb b/controls/V-238341.rb deleted file mode 100644 index a49bf62..0000000 --- a/controls/V-238341.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238341' do - title "The Ubuntu operating system must configure the /var/log/syslog file to -be group-owned by adm." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system configures the \"/var/log/syslog\" -file to be group-owned by adm with the following command: - - $ sudo stat -c \"%n %G\" /var/log/syslog - /var/log/syslog adm - - If the \"/var/log/syslog\" file is not group-owned by adm, this is a -finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have adm group-own the -\"/var/log/syslog\" file by running the following command: - - $ sudo chgrp adm /var/log/syslog - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238341' - tag rid: 'SV-238341r654198_rule' - tag stig_id: 'UBTU-20-010420' - tag fix_id: 'F-41510r654197_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe file('/var/log/syslog') do - its('group') { should cmp 'adm' } - end -end - diff --git a/controls/V-238342.rb b/controls/V-238342.rb deleted file mode 100644 index 059e95c..0000000 --- a/controls/V-238342.rb +++ /dev/null @@ -1,49 +0,0 @@ -# encoding: UTF-8 - -control 'V-238342' do - title "The Ubuntu operating system must configure /var/log/syslog file to be -owned by syslog." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system configures the \"/var/log/syslog\" -file to be owned by syslog with the following command: - - $ sudo stat -c \"%n %U\" /var/log/syslog - /var/log/syslog syslog - - If the \"/var/log/syslog\" file is not owned by syslog, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have syslog own the -\"/var/log/syslog\" file by running the following command: - - $ sudo chown syslog /var/log/syslog - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238342' - tag rid: 'SV-238342r654201_rule' - tag stig_id: 'UBTU-20-010421' - tag fix_id: 'F-41511r654200_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe file('/var/log/syslog') do - its('owner') { should cmp 'syslog' } - end -end - diff --git a/controls/V-238343.rb b/controls/V-238343.rb deleted file mode 100644 index 35a8240..0000000 --- a/controls/V-238343.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238343' do - title "The Ubuntu operating system must configure /var/log/syslog file with -mode 0640 or less permissive." - desc "Only authorized personnel should be aware of errors and the details of -the errors. Error messages are an indicator of an organization's operational -state or can identify the operating system or platform. Additionally, -Personally Identifiable Information (PII) and operational information must not -be revealed through error messages to unauthorized personnel or their -designated representatives. - - The structure and content of error messages must be carefully considered by -the organization and development team. The extent to which the information -system is able to identify and handle error conditions is guided by -organizational policy and operational requirements. - " - desc 'rationale', '' - desc 'check', " - Verify that the Ubuntu operating system configures the \"/var/log/syslog\" -file with mode 0640 or less permissive by running the following command: - - $ sudo stat -c \"%n %a\" /var/log/syslog - - /var/log/syslog 640 - - If a value of \"640\" or less permissive is not returned, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to have permissions of 0640 for the -\"/var/log/syslog\" file by running the following command: - - $ sudo chmod 0640 /var/log/syslog - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000206-GPOS-00084' - tag gid: 'V-238343' - tag rid: 'SV-238343r654204_rule' - tag stig_id: 'UBTU-20-010422' - tag fix_id: 'F-41512r654203_fix' - tag cci: ['CCI-001314'] - tag legacy: [] - tag nist: ['SI-11 b'] - - describe file('/var/log/syslog') do - it { should_not be_more_permissive_than('0640') } - end -end - diff --git a/controls/V-238344.rb b/controls/V-238344.rb deleted file mode 100644 index 9f0c991..0000000 --- a/controls/V-238344.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: UTF-8 - -control 'V-238344' do - title "The Ubuntu operating system must have directories that contain system -commands set to a mode of 0755 or less permissive." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user has in order to make access decisions -regarding the deletion of audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands directories have mode 0755 or less permissive: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Check that the system command directories have mode 0755 or less permissive -with the following command: - - $ find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm -/022 -type d -exec stat -c \"%n %a\" '{}' \\; - - If any directories are found to be group-writable or world-writable, this -is a finding. - " - desc 'fix', " - Configure the system commands directories to be protected from unauthorized -access. Run the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin --perm /022 -type d -exec chmod -R 755 '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000258-GPOS-00099' - tag gid: 'V-238344' - tag rid: 'SV-238344r654207_rule' - tag stig_id: 'UBTU-20-010423' - tag fix_id: 'F-41513r654206_fix' - tag cci: ['CCI-001495'] - tag legacy: [] - tag nist: ['AU-9'] - - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } - end - end - else - describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or - /usr/local/sbin, that are less permissive than 0755" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238345.rb b/controls/V-238345.rb deleted file mode 100644 index 6218ad3..0000000 --- a/controls/V-238345.rb +++ /dev/null @@ -1,81 +0,0 @@ -# encoding: UTF-8 - -control 'V-238345' do - title "The Ubuntu operating system must have directories that contain system -commands owned by root." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user has in order to make access decisions -regarding the deletion of audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands directories are owned by root: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Use the following command for the check: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --user root -type d -exec stat -c \"%n %U\" '{}' \\; - - If any system commands directories are returned, this is a finding. - " - desc 'fix', " - Configure the system commands directories to be protected from unauthorized -access. Run the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --user root -type d -exec chown root '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000258-GPOS-00099' - tag gid: 'V-238345' - tag rid: 'SV-238345r654210_rule' - tag stig_id: 'UBTU-20-010424' - tag fix_id: 'F-41514r654209_fix' - tag cci: ['CCI-001495'] - tag legacy: [] - tag nist: ['AU-9'] - - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - its("owner") { should cmp "root" } - end - end - else - describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, - /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238346.rb b/controls/V-238346.rb deleted file mode 100644 index 9968218..0000000 --- a/controls/V-238346.rb +++ /dev/null @@ -1,83 +0,0 @@ -# encoding: UTF-8 - -control 'V-238346' do - title "The Ubuntu operating system must have directories that contain system -commands group-owned by root." - desc "Protecting audit information also includes identifying and protecting -the tools used to view and manipulate log data. Therefore, protecting audit -tools is necessary to prevent unauthorized operation on audit information. - - Operating systems providing tools to interface with audit information will -leverage user permissions and roles identifying the user accessing the tools -and the corresponding rights the user has in order to make access decisions -regarding the deletion of audit tools. - - Audit tools include, but are not limited to, vendor-provided and open -source audit tools needed to successfully view and manipulate audit information -system activity and records. Audit tools include custom queries and report -generators. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands directories are group-owned by root: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Run the check with the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --group root -type d -exec stat -c \"%n %G\" '{}' \\; - - If any system commands directories are returned that are not Set Group ID -up on execution (SGID) files and owned by a privileged account, this is a -finding. - " - desc 'fix', " - Configure the system commands directories to be protected from unauthorized -access. Run the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --group root -type d -exec chgrp root '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000258-GPOS-00099' - tag gid: 'V-238346' - tag rid: 'SV-238346r654213_rule' - tag stig_id: 'UBTU-20-010425' - tag fix_id: 'F-41515r654212_fix' - tag cci: ['CCI-001495'] - tag legacy: [] - tag nist: ['AU-9'] - #CHECK - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - its("group") { should cmp "root" } - end - end - else - describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, - /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238347.rb b/controls/V-238347.rb deleted file mode 100644 index ac52396..0000000 --- a/controls/V-238347.rb +++ /dev/null @@ -1,67 +0,0 @@ -# encoding: UTF-8 - -control 'V-238347' do - title "The Ubuntu operating system library files must have mode 0755 or less -permissive." - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide shared library files contained in the directories -\"/lib\", \"/lib64\", and \"/usr/lib\" have mode 0755 or less permissive with -the following command: - - $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" -'{}' \\; - /usr/lib64/pkcs11-spy.so - - If any files are found to be group-writable or world-writable, this is a -finding. - " - desc 'fix', " - Configure the library files to be protected from unauthorized access. Run -the following command: - - $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238347' - tag rid: 'SV-238347r654216_rule' - tag stig_id: 'UBTU-20-010426' - tag fix_id: 'F-41516r654215_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == 'x86_64' - library_files = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split("\n").entries - end - - if library_files.count > 0 - library_files.each do |lib_file| - describe file(lib_file) do - it { should_not be_more_permissive_than('0755') } - end - end - else - describe 'Number of system-wide shared library files found that are less permissive than 0755' do - subject { library_files } - its('count') { should eq 0 } - end - end -end - diff --git a/controls/V-238348.rb b/controls/V-238348.rb deleted file mode 100644 index c87dd2c..0000000 --- a/controls/V-238348.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238348' do - title "The Ubuntu operating system library directories must have mode 0755 or -less permissive." - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide shared library directories \"/lib\", \"/lib64\", and -\"/usr/lib have mode 0755 or less permissive with the following command: - - $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec stat -c \"%n %a\" -'{}' \\; - - If any of the aforementioned directories are found to be group-writable or -world-writable, this is a finding. - " - desc 'fix', " - Configure the shared library directories to be protected from unauthorized -access. Run the following command: - - $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238348' - tag rid: 'SV-238348r654219_rule' - tag stig_id: 'UBTU-20-010427' - tag fix_id: 'F-41517r654218_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == 'x86_64' - library_dirs = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries - else - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split("\n").entries - end - - if library_dirs.count > 0 - library_dirs.each do |lib_file| - describe file(lib_file) do - it { should_not be_more_permissive_than('0755') } - end - end - else - describe 'Number of system-wide shared library directories found that are less permissive than 0755' do - subject { library_dirs } - its('count') { should eq 0 } - end - end -end - diff --git a/controls/V-238349.rb b/controls/V-238349.rb deleted file mode 100644 index 5d6d5d2..0000000 --- a/controls/V-238349.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238349' do - title 'The Ubuntu operating system library files must be owned by root.' - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide shared library files contained in the directories -\"/lib\", \"/lib64\", and \"/usr/lib\" are owned by root with the following -command: - - $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c \"%n -%U\" '{}' \\; - - If any system-wide library file is returned, this is a finding. - " - desc 'fix', " - Configure the system library files to be protected from unauthorized -access. Run the following command: - - $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' -\\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238349' - tag rid: 'SV-238349r654222_rule' - tag stig_id: 'UBTU-20-010428' - tag fix_id: 'F-41518r654221_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == "x86_64" - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type f').stdout.strip.split("\n").entries - end - - if library_files.count > 0 - library_files.each do |lib_file| - describe file(lib_file) do - its("owner") { should cmp "root" } - end - end - else - describe "Number of system-wide shared library files found that are NOT owned by root" do - subject { library_files } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238350.rb b/controls/V-238350.rb deleted file mode 100644 index 21714a8..0000000 --- a/controls/V-238350.rb +++ /dev/null @@ -1,64 +0,0 @@ -# encoding: UTF-8 - -control 'V-238350' do - title 'The Ubuntu operating system library directories must be owned by root.' - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide shared library directories \"/lib\", \"/lib64\", and -\"/usr/lib\" are owned by root with the following command: - - $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c \"%n -%U\" '{}' \\; - - If any system-wide library directory is returned, this is a finding. - " - desc 'fix', " - Configure the library files and their respective parent directories to be -protected from unauthorized access. Run the following command: - - $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' -\\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238350' - tag rid: 'SV-238350r654225_rule' - tag stig_id: 'UBTU-20-010429' - tag fix_id: 'F-41519r654224_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == "x86_64" - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries - else - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type d').stdout.strip.split("\n").entries - end - - if library_dirs.count > 0 - library_dirs.each do |lib_file| - describe file(lib_file) do - its("owner") { should cmp "root" } - end - end - else - describe "Number of system-wide shared library directories found that are NOT owned by root" do - subject { library_dirs } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238351.rb b/controls/V-238351.rb deleted file mode 100644 index 8a60e51..0000000 --- a/controls/V-238351.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238351' do - title 'The Ubuntu operating system library files must be group-owned by root.' - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide library files contained in the directories \"/lib\", -\"/lib64\", and \"/usr/lib\" are group-owned by root with the following -command: - - $ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n -%G\" '{}' \\; - - If any system-wide shared library file is returned, this is a finding. - " - desc 'fix', " - Configure the system library files to be protected from unauthorized -access. Run the following command: - - $ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec chgrp root -'{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238351' - tag rid: 'SV-238351r654228_rule' - tag stig_id: 'UBTU-20-010430' - tag fix_id: 'F-41520r654227_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == "x86_64" - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type f').stdout.strip.split("\n").entries - end - - if library_files.count > 0 - library_files.each do |lib_file| - describe file(lib_file) do - its("group") { should cmp "root" } - end - end - else - describe "Number of system-wide shared library files found that are NOT group-owned by root" do - subject { library_files } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238352.rb b/controls/V-238352.rb deleted file mode 100644 index e2ce75f..0000000 --- a/controls/V-238352.rb +++ /dev/null @@ -1,65 +0,0 @@ -# encoding: UTF-8 - -control 'V-238352' do - title "The Ubuntu operating system library directories must be group-owned by -root." - desc " If the operating system were to allow any user to make changes to -software libraries, then those changes might be implemented without undergoing -the appropriate testing and approvals that are part of a robust change -management process. - - This requirement applies to operating systems with software libraries that -are accessible and configurable, as in the case of interpreted languages. -Software libraries also include privileged programs which execute with -escalated privileges. Only qualified and authorized individuals must be allowed -to obtain access to information system components for purposes of initiating -changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system-wide library directories \"/lib\", \"/lib64\", and -\"/usr/lib\" are group-owned by root with the following command: - - $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c \"%n -%G\" '{}' \\; - - If any system-wide shared library directory is returned, this is a finding. - " - desc 'fix', " - Configure the system library directories to be protected from unauthorized -access. Run the following command: - - $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root -'{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238352' - tag rid: 'SV-238352r654231_rule' - tag stig_id: 'UBTU-20-010431' - tag fix_id: 'F-41521r654230_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - if os.arch == "x86_64" - library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries - else - library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type d').stdout.strip.split("\n").entries - end - - if library_directories.count > 0 - library_directories.each do |lib_file| - describe file(lib_file) do - its("group") { should cmp "root" } - end - end - else - describe "Number of system-wide shared library directories found that are NOT group-owned by root" do - subject { library_directories } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238353.rb b/controls/V-238353.rb deleted file mode 100644 index f19ca7a..0000000 --- a/controls/V-238353.rb +++ /dev/null @@ -1,75 +0,0 @@ -# encoding: UTF-8 - -control 'V-238353' do - title "The Ubuntu operating system must be configured to preserve log records -from failure events." - desc "Failure to a known state can address safety or security in accordance -with the mission/business needs of the organization. Failure to a known secure -state helps prevent a loss of confidentiality, integrity, or availability in -the event of a failure of the information system or a component of the system. - - Preserving operating system state information helps to facilitate operating -system restart and return to the operational mode of the organization with -least disruption to mission/business processes. - " - desc 'rationale', '' - desc 'check', " - Verify the log service is configured to collect system failure events. - - Check that the log service is installed properly with the following -command: - - $ dpkg -l | grep rsyslog - - ii rsyslog 8.32.0-1ubuntu4 - amd64 reliable system and kernel logging daemon - - If the \"rsyslog\" package is not installed, this is a finding. - - Check that the log service is enabled with the following command: - - $ systemctl is-enabled rsyslog - - enabled - - If the command above returns \"disabled\", this is a finding. - - Check that the log service is properly running and active on the system -with the following command: - - $ systemctl is-active rsyslog - - active - - If the command above returns \"inactive\", this is a finding. - " - desc 'fix', " - Configure the log service to collect failure events. - - Install the log service (if the log service is not already installed) with -the following command: - - $ sudo apt-get install rsyslog - - Enable the log service with the following command: - - $ sudo systemctl enable --now rsyslog - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000269-GPOS-00103' - tag gid: 'V-238353' - tag rid: 'SV-238353r654234_rule' - tag stig_id: 'UBTU-20-010432' - tag fix_id: 'F-41522r654233_fix' - tag cci: ['CCI-001665'] - tag legacy: [] - tag nist: ['SC-24'] - - describe service('rsyslog') do - it { should be_installed } - it { should be_enabled } - it { should be_running } - end -end - diff --git a/controls/V-238354.rb b/controls/V-238354.rb deleted file mode 100644 index 431c1cd..0000000 --- a/controls/V-238354.rb +++ /dev/null @@ -1,57 +0,0 @@ -# encoding: UTF-8 - -control 'V-238354' do - title "The Ubuntu operating system must have an application firewall -installed in order to control remote access methods." - desc "Remote access services, such as those providing remote access to -network devices and information systems, which lack automated control -capabilities, increase risk and make remote user access management difficult at -best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - Ubuntu operating system functionality (e.g., RDP) must be capable of taking -enforcement action if the audit reveals unauthorized activity. Automated -control of remote access sessions allows organizations to ensure ongoing -compliance with remote access policies by enforcing connection rules of remote -access applications on a variety of information system components (e.g., -servers, workstations, notebook computers, smartphones, and tablets). - " - desc 'rationale', '' - desc 'check', " - Verify that the Uncomplicated Firewall is installed with the following -command: - - $ dpkg -l | grep ufw - - ii ufw 0.36-6 - - If the \"ufw\" package is not installed, ask the System Administrator if -another application firewall is installed. - - If no application firewall is installed, this is a finding. - " - desc 'fix', " - Install the Uncomplicated Firewall by using the following command: - - $ sudo apt-get install ufw - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000297-GPOS-00115' - tag gid: 'V-238354' - tag rid: 'SV-238354r654237_rule' - tag stig_id: 'UBTU-20-010433' - tag fix_id: 'F-41523r654236_fix' - tag cci: ['CCI-002314'] - tag legacy: [] - tag nist: ['AC-17 (1)'] - - describe package('ufw') do - it { should be_installed } - end -end - diff --git a/controls/V-238355.rb b/controls/V-238355.rb deleted file mode 100644 index 56c75a2..0000000 --- a/controls/V-238355.rb +++ /dev/null @@ -1,67 +0,0 @@ -# encoding: UTF-8 - -control 'V-238355' do - title "The Ubuntu operating system must enable and run the uncomplicated -firewall(ufw)." - desc "Remote access services, such as those providing remote access to -network devices and information systems, which lack automated control -capabilities, increase risk and make remote user access management difficult at -best. - - Remote access is access to DoD nonpublic information systems by an -authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - - Ubuntu operating system functionality (e.g., RDP) must be capable of taking -enforcement action if the audit reveals unauthorized activity. Automated -control of remote access sessions allows organizations to ensure ongoing -compliance with remote access policies by enforcing connection rules of remote -access applications on a variety of information system components (e.g., -servers, workstations, notebook computers, smartphones, and tablets). - " - desc 'rationale', '' - desc 'check', " - Verify the Uncomplicated Firewall is enabled on the system by running the -following command: - - $ systemctl is-enabled ufw - - If the above command returns the status as \"disabled\", this is a finding. - - Verify the Uncomplicated Firewall is active on the system by running the -following command: - - $ systemctl is-active ufw - - If the above command returns \"inactive\" or any kind of error, this is a -finding. - - If the Uncomplicated Firewall is not installed, ask the System -Administrator if another application firewall is installed. - - If no application firewall is installed, this is a finding. - " - desc 'fix', " - Enable the Uncomplicated Firewall by using the following command: - - $ sudo systemctl enable --now ufw.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000297-GPOS-00115' - tag gid: 'V-238355' - tag rid: 'SV-238355r654240_rule' - tag stig_id: 'UBTU-20-010434' - tag fix_id: 'F-41524r654239_fix' - tag cci: ['CCI-002314'] - tag legacy: [] - tag nist: ['AC-17 (1)'] - - describe service('ufw') do - it { should be_installed } - it { should be_enabled } - it { should be_running } - end -end - diff --git a/controls/V-238356.rb b/controls/V-238356.rb deleted file mode 100644 index 3bfd6ce..0000000 --- a/controls/V-238356.rb +++ /dev/null @@ -1,105 +0,0 @@ -# encoding: UTF-8 - -control 'V-238356' do - title "The Ubuntu operating system must, for networked systems, compare -internal information system clocks at least every 24 hours with a server which -is synchronized to one of the redundant United States Naval Observatory (USNO) -time servers, or a time server designated for the appropriate DoD network -(NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - desc "Inaccurate time stamps make it more difficult to correlate events and -can lead to an inaccurate analysis. Determining the correct time a particular -event occurred on a system is critical when conducting forensic analysis and -investigating system events. Sources outside the configured acceptable -allowance (drift) may be inaccurate. - - Synchronizing internal information system clocks provides uniformity of -time stamps for information systems with multiple system clocks and systems -connected over a network. - - Organizations should consider endpoints that may not have regular access to -the authoritative time server (e.g., mobile, teleworking, and tactical -endpoints). - " - desc 'rationale', '' - desc 'check', " - If the system is not networked, this requirement is Not Applicable. - - The system clock must be configured to compare the system clock at least -every 24 hours to the authoritative time source. - - Check the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with -the following command: - - $ sudo grep maxpoll /etc/chrony/chrony.conf - server tick.usno.navy.mil iburst maxpoll 17 - - If \"maxpoll\" is not set to \"17\" or does not exist, this is a finding. - - Verify that the \"chrony.conf\" file is configured to an authoritative DoD -time source by running the following command: - - $ grep -i server /etc/chrony/chrony.conf - server tick.usno.navy.mil iburst maxpoll 17 - server tock.usno.navy.mil iburst maxpoll 17 - server ntp2.usno.navy.mil iburst maxpoll 17 - - If the parameter \"server\" is not set, is not set to an authoritative DoD -time source, or is commented out, this is a finding. - " - desc 'fix', " - If the system is not networked, this requirement is Not Applicable. - - To configure the system clock to compare the system clock at least every 24 -hours to the authoritative time source, edit the \"/etc/chrony/chrony.conf\" -file. Add or correct the following lines, by replacing \"[source]\" in the -following line with an authoritative DoD time source: - - server [source] iburst maxpoll = 17 - - If the \"chrony\" service was running and the value of \"maxpoll\" or -\"server\" was updated, the service must be restarted using the following -command: - - $ sudo systemctl restart chrony.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000355-GPOS-00143' - tag gid: 'V-238356' - tag rid: 'SV-238356r654317_rule' - tag stig_id: 'UBTU-20-010435' - tag fix_id: 'F-41525r654242_fix' - tag cci: ['CCI-001891'] - tag legacy: [] - tag nist: ['AU-8 (1) (a)'] - - is_system_networked = input('is_system_networked') - - if is_system_networked - - chrony_conf = '/etc/chrony/chrony.conf' - chrony_conf_exists = file(chrony_conf).exist? - - if chrony_conf_exists - describe "time sources" do - server_entries = command('grep "^server" /etc/chrony/chrony.conf').stdout.strip.split("\n").entries - - server_entries.each do |entry| - describe entry do - it { should match "^server\s+.*\s+iburst\s+maxpoll\s+=\s+17$" } - end - end - end - else - describe chrony_conf + ' exists' do - subject { chrony_conf_exists } - it { should be true } - end - end - else - describe 'System is not networked' do - skip 'This control is Not Applicable as the system is not networked' - end - end -end - diff --git a/controls/V-238357.rb b/controls/V-238357.rb deleted file mode 100644 index 1e9b0a6..0000000 --- a/controls/V-238357.rb +++ /dev/null @@ -1,77 +0,0 @@ -# encoding: UTF-8 - -control 'V-238357' do - title "The Ubuntu operating system must synchronize internal information -system clocks to the authoritative time source when the time difference is -greater than one second." - desc "Inaccurate time stamps make it more difficult to correlate events and -can lead to an inaccurate analysis. Determining the correct time a particular -event occurred on a system is critical when conducting forensic analysis and -investigating system events. - - Synchronizing internal information system clocks provides uniformity of -time stamps for information systems with multiple system clocks and systems -connected over a network. Organizations should consider setting time periods -for different types of systems (e.g., financial, legal, or mission-critical -systems). - - Organizations should also consider endpoints that may not have regular -access to the authoritative time server (e.g., mobile, teleworking, and -tactical endpoints). This requirement is related to the comparison done every -24 hours in SRG-OS-000355 because a comparison must be done in order to -determine the time difference. - " - desc 'rationale', '' - desc 'check', " - Verify the operating system synchronizes internal system clocks to the -authoritative time source when the time difference is greater than one second. - - Check the value of \"makestep\" by running the following command: - - $ sudo grep makestep /etc/chrony/chrony.conf - - makestep 1 -1 - - If the makestep option is commented out or is not set to \"1 -1\", this is -a finding. - " - desc 'fix', " - Configure chrony to synchronize the internal system clocks to the -authoritative source when the time difference is greater than one second by -doing the following: - - Edit the \"/etc/chrony/chrony.conf\" file and add: - - makestep 1 -1 - - Restart the chrony service: - - $ sudo systemctl restart chrony.service - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000356-GPOS-00144' - tag gid: 'V-238357' - tag rid: 'SV-238357r654246_rule' - tag stig_id: 'UBTU-20-010436' - tag fix_id: 'F-41526r654245_fix' - tag cci: ['CCI-002046'] - tag legacy: [] - tag nist: ['AU-8 (1) (b)'] - - chrony_file_path = '/etc/chrony/chrony.conf' - chrony_file = file('/etc/chrony/chrony.conf') - - if chrony_file.exist? - describe chrony_file do - subject { chrony_file } - its('content') { should match %r{^makestep 1 -1} } - end - else - describe (chrony_file_path + ' exists') do - subject { chrony_file.exist? } - it { should be true } - end - end -end - diff --git a/controls/V-238358.rb b/controls/V-238358.rb deleted file mode 100644 index bdb6428..0000000 --- a/controls/V-238358.rb +++ /dev/null @@ -1,59 +0,0 @@ -# encoding: UTF-8 - -control 'V-238358' do - title "The Ubuntu operating system must notify designated personnel if -baseline configurations are changed in an unauthorized manner. The file -integrity tool must notify the System Administrator when changes to the -baseline configuration or anomalies in the oper" - desc "Unauthorized changes to the baseline configuration could make the -system vulnerable to various attacks or allow unauthorized access to the -operating system. Changes to operating system configurations can have -unintended side effects, some of which may be relevant to security. - - Detecting such changes and providing an automated response can help avoid -unintended, negative consequences that could ultimately affect the security -state of the operating system. The operating system's IMO/ISSO and SAs must be -notified via email and/or monitoring system trap when there is an unauthorized -modification of a configuration item. - " - desc 'rationale', '' - desc 'check', " - Verify that Advanced Intrusion Detection Environment (AIDE) notifies the -System Administrator - when anomalies in the operation of any security functions are discovered -with the following command: - - $ grep SILENTREPORTS /etc/default/aide - - SILENTREPORTS=no - - If SILENTREPORTS is commented out, this is a finding. - - If SILENTREPORTS is set to \"yes\", this is a finding. - - If SILENTREPORTS is not set to \"no\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to notify designated personnel if -baseline configurations are changed in an unauthorized manner. - - Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file -with a value of \"no\" if it does not already exist. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000363-GPOS-00150' - tag gid: 'V-238358' - tag rid: 'SV-238358r654249_rule' - tag stig_id: 'UBTU-20-010437' - tag fix_id: 'F-41527r654248_fix' - tag cci: ['CCI-001744'] - tag legacy: [] - tag nist: ['CM-3 (5)'] - - describe file('/etc/default/aide') do - it { should exist } - its('content') { should match '^SILENTREPORTS=no$' } - end -end - diff --git a/controls/V-238359.rb b/controls/V-238359.rb deleted file mode 100644 index b1bce7a..0000000 --- a/controls/V-238359.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control 'V-238359' do - title "The Ubuntu operating system's Advance Package Tool (APT) must be -configured to prevent the installation of patches, service packs, device -drivers, or Ubuntu operating system components without verification they have -been digitally signed using a certificate that is recognized and approved by -the organization." - desc "Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the software -has not been tampered with and that it has been provided by a trusted vendor. - - Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. - - Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures the -software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The -operating system should not have to verify the software again. This requirement -does not mandate DoD certificates for this purpose; however, the certificate -used to verify the software must be from an approved CA. - " - desc 'rationale', '' - desc 'check', " - Verify that APT is configured to prevent the installation of patches, -service packs, device drivers, or Ubuntu operating system components without -verification they have been digitally signed using a certificate that is -recognized and approved by the organization. - - Check that the \"AllowUnauthenticated\" variable is not set at all or is -set to \"false\" with the following command: - - $ grep AllowUnauthenticated /etc/apt/apt.conf.d/* - /etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated -\"false\"; - - If any of the files returned from the command with \"AllowUnauthenticated\" -are set to \"true\", this is a finding. - " - desc 'fix', " - Configure APT to prevent the installation of patches, service packs, device -drivers, or Ubuntu operating system components without verification they have -been digitally signed using a certificate that is recognized and approved by -the organization. - - Remove/update any APT configuration files that contain the variable -\"AllowUnauthenticated\" to \"false\", or remove \"AllowUnauthenticated\" -entirely from each file. Below is an example of setting the -\"AllowUnauthenticated\" variable to \"false\": - - APT::Get::AllowUnauthenticated \"false\"; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000366-GPOS-00153' - tag gid: 'V-238359' - tag rid: 'SV-238359r654319_rule' - tag stig_id: 'UBTU-20-010438' - tag fix_id: 'F-41528r654251_fix' - tag cci: ['CCI-001749'] - tag legacy: [] - tag nist: ['CM-5 (3)'] - - describe directory('/etc/apt/apt.conf.d') do - it { should exist } - end - - apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split("\n") - if apt_allowunauth.empty? - describe 'apt conf files do not contain AllowUnauthenticated' do - subject { apt_allowunauth.empty? } - it { should be true } - end - else - apt_allowunauth.each do |line| - describe "#{line} contains AllowUnauthenctication" do - subject { line } - it { should_not match /.*false.*/ } - end - end - end -end - diff --git a/controls/V-238360.rb b/controls/V-238360.rb deleted file mode 100644 index 0f4e9d5..0000000 --- a/controls/V-238360.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control 'V-238360' do - title 'The Ubuntu operating system must be configured to use AppArmor.' - desc "Control of program execution is a mechanism used to prevent execution -of unauthorized programs. Some operating systems may provide a capability that -runs counter to the mission or provides users with functionality that exceeds -mission requirements. This includes functions and services installed at the -operating system-level. - - Some of the programs, installed by default, may be harmful or may not be -necessary to support essential organizational operations (e.g., key missions, -functions). Removal of executable programs is not always possible; therefore, -establishing a method of preventing program execution is critical to -maintaining a secure system baseline. - - Methods for complying with this requirement include restricting execution -of programs in certain environments, while preventing execution in other -environments; or limiting execution of certain program functionality based on -organization-defined criteria (e.g., privileges, subnets, sandboxed -environments, or roles). - - - " - desc 'rationale', '' - desc 'check', " - Verify the operating system prevents program execution in accordance with -local policies. - - Check that AppArmor is installed and active by running the following -command, - - $ dpkg -l | grep apparmor - - If the \"apparmor\" package is not installed, this is a finding. - - $ systemctl is-active apparmor.service - - active - - If \"active\" is not returned, this is a finding. - - $ systemctl is-enabled apparmor.service - - enabled - - If \"enabled\" is not returned, this is a finding. - " - desc 'fix', " - Install \"AppArmor\" (if it is not installed) with the following command: - - $ sudo apt-get install apparmor - - $ sudo systemctl enable apparmor.service - - Start \"apparmor\" with the following command: - - $ sudo systemctl start apparmor.service - - Note: AppArmor must have properly configured profiles for applications and -home directories. All configurations will be based on the actual system setup -and organization and normally are on a per role basis. See the AppArmor -documentation for more information on configuring profiles. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000368-GPOS-00154' - tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000312-GPOS-00122', -'SRG-OS-000312-GPOS-00123', 'SRG-OS-000312-GPOS-00124', -'SRG-OS-000324-GPOS-00125', 'SRG-OS-000370-GPOS-00155'] - tag gid: 'V-238360' - tag rid: 'SV-238360r654255_rule' - tag stig_id: 'UBTU-20-010439' - tag fix_id: 'F-41529r654254_fix' - tag cci: ['CCI-001764', 'CCI-001774', 'CCI-002165', 'CCI-002235'] - tag legacy: [] - tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)'] - - describe service('apparmor') do - it { should be_installed } - it { should be_enabled } - it { should be_running } - end -end - diff --git a/controls/V-238361.rb b/controls/V-238361.rb deleted file mode 100644 index e66684c..0000000 --- a/controls/V-238361.rb +++ /dev/null @@ -1,53 +0,0 @@ -# encoding: UTF-8 - -control 'V-238361' do - title "The Ubuntu operating system must allow the use of a temporary password -for system logons with an immediate change to a permanent password." - desc "Without providing this capability, an account may be created without a -password. Non-repudiation cannot be guaranteed once an account is created if a -user is not forced to change the temporary password upon initial logon. - - Temporary passwords are typically used to allow access when new accounts -are created or passwords are changed. It is common practice for administrators -to create temporary passwords for user accounts which allow the users to log -on, yet force them to change the password once they have successfully -authenticated. - " - desc 'rationale', '' - desc 'check', " - Verify a policy exists that ensures when a user account is created, it is -created using a method that forces a user to change their password upon their -next login. - - If a policy does not exist, this is a finding. - " - desc 'fix', " - Create a policy that ensures when a user is created, it is created using a -method that forces a user to change their password upon their next login. - - Below are two examples of how to create a user account that requires the -user to change their password upon their next login. - - $ sudo chage -d 0 [UserName] - - or - - $ sudo passwd -e [UserName] - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000380-GPOS-00165' - tag gid: 'V-238361' - tag rid: 'SV-238361r654258_rule' - tag stig_id: 'UBTU-20-010440' - tag fix_id: 'F-41530r654257_fix' - tag cci: ['CCI-002041'] - tag legacy: [] - tag nist: ['IA-5 (1) (f)'] - - describe 'Manual verification required' do - skip 'Manually verify if a policy exists to ensure that a method exists to force temporary - users to change their password upon next login' - end -end - diff --git a/controls/V-238362.rb b/controls/V-238362.rb deleted file mode 100644 index 14d4cd5..0000000 --- a/controls/V-238362.rb +++ /dev/null @@ -1,62 +0,0 @@ -# encoding: UTF-8 - -control 'V-238362' do - title "The Ubuntu operating system must be configured such that Pluggable -Authentication Module (PAM) prohibits the use of cached authentications after -one day." - desc "If cached authentication information is out-of-date, the validity of -the authentication information may be questionable." - desc 'rationale', '' - desc 'check', " - If smart card authentication is not being used on the system, this s Not -Applicable. - - Verify that PAM prohibits the use of cached authentications after one day -with the following command: - - $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf -/etc/sssd/conf.d/*.conf - - offline_credentials_expiration = 1 - - If \"offline_credentials_expiration\" is not set to a value of \"1\" in -\"/etc/sssd/sssd.conf\" or in a file with a name ending in .conf in the -\"/etc/sssd/conf.d/\" directory, this is a finding. - " - desc 'fix', " - Configure PAM to prohibit the use of cached authentications after one day. -Add or change the following line in \"/etc/sssd/sssd.conf\" just below the line -\"[pam]\": - - offline_credentials_expiration = 1 - - Note: It is valid for this configuration to be in a file with a name that -ends with \".conf\" and does not begin with a \".\" in the -\"/etc/sssd/conf.d/\" directory instead of the \"/etc/sssd/sssd.conf\" file. - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000383-GPOS-00166' - tag gid: 'V-238362' - tag rid: 'SV-238362r654261_rule' - tag stig_id: 'UBTU-20-010441' - tag fix_id: 'F-41531r654260_fix' - tag cci: ['CCI-002007'] - tag legacy: [] - tag nist: ['IA-5 (13)'] - - config_file = input('sssd_conf_path') - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('offline_credentials_expiration') { should cmp '1' } - end - else - describe (config_file + ' exists') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238363.rb b/controls/V-238363.rb deleted file mode 100644 index 388afe3..0000000 --- a/controls/V-238363.rb +++ /dev/null @@ -1,64 +0,0 @@ -# encoding: UTF-8 - -control 'V-238363' do - title "The Ubuntu operating system must implement NIST FIPS-validated -cryptography to protect classified information and for the following: to -provision digital signatures, to generate cryptographic hashes, and to protect -unclassified information requiring confidentiality and cryptographic protection -in accordance with applicable federal laws, Executive Orders, directives, -policies, regulations, and standards." - desc "Use of weak or untested encryption algorithms undermines the purposes -of utilizing encryption to protect data. The operating system must implement -cryptographic modules adhering to the higher standards approved by the federal -government since this provides assurance they have been tested and validated. - - - " - desc 'rationale', '' - desc 'check', " - Verify the system is configured to run in FIPS mode with the following -command: - - $ grep -i 1 /proc/sys/crypto/fips_enabled - 1 - - If a value of \"1\" is not returned, this is a finding. - " - desc 'fix', " - Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel -parameter during the Ubuntu operating systems install. - - Enabling a FIPS mode on a pre-existing system involves a number of -modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 -FIPS 140-2 security policy document for instructions. - - A subscription to the \"Ubuntu Advantage\" plan is required in order to -obtain the FIPS Kernel cryptographic modules and enable FIPS. - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000396-GPOS-00176' - tag satisfies: ['SRG-OS-000396-GPOS-00176', 'SRG-OS-000478-GPOS-00223'] - tag gid: 'V-238363' - tag rid: 'SV-238363r654320_rule' - tag stig_id: 'UBTU-20-010442' - tag fix_id: 'F-41532r654263_fix' - tag cci: ['CCI-002450'] - tag legacy: [] - tag nist: ['SC-13'] - - config_file = '/proc/sys/crypto/fips_enabled' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe file(config_file) do - its('content') { should match %r{\A1\Z} } - end - else - describe ('FIPS is enabled') do - subject { config_file_exists } - it { should be true } - end - end -end - diff --git a/controls/V-238364.rb b/controls/V-238364.rb deleted file mode 100644 index 7320218..0000000 --- a/controls/V-238364.rb +++ /dev/null @@ -1,74 +0,0 @@ -# encoding: UTF-8 - -control 'V-238364' do - title "The Ubuntu operating system must only allow the use of DoD -PKI-established certificate authorities for verification of the establishment -of protected sessions." - desc "Untrusted Certificate Authorities (CA) can issue certificates, but -they may be issued by organizations or individuals that seek to compromise DoD -systems or by organizations with insufficient security controls. If the CA used -for verifying the certificate is not a DoD-approved CA, trust of this CA has -not been established. - - The DoD will only accept PKI-certificates obtained from a DoD-approved -internal or external certificate authority. Reliance on CAs for the -establishment of secure sessions includes, for example, the use of SSL/TLS -certificates. - " - desc 'rationale', '' - desc 'check', " - Verify the directory containing the root certificates for the Ubuntu -operating system (/etc/ssl/certs) only contains certificate files for DoD -PKI-established certificate authorities. - - Determine if \"/etc/ssl/certs\" only contains certificate files whose -sha256 fingerprint match the fingerprint of DoD PKI-established certificate -authorities with the following command: - - $ for f in $(ls /etc/ssl/certs); do openssl x509 -sha256 -in $f -noout --fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw -'(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; -done - - If any entry is found, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to only allow the use of DoD -PKI-established certificate authorities for verification of the establishment -of protected sessions. - - Edit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to -the beginning of all uncommented lines that do not start with the \"!\" -character with the following command: - - $ sudo sed -iE 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf - - Add at least one DoD certificate authority to the -\"/usr/local/share/ca-certificates\" directory in the PEM format. - - Update the \"/etc/ssl/certs\" directory with the following command: - - $ sudo update-ca-certificates - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000403-GPOS-00182' - tag gid: 'V-238364' - tag rid: 'SV-238364r654267_rule' - tag stig_id: 'UBTU-20-010443' - tag fix_id: 'F-41533r654266_fix' - tag cci: ['CCI-002470'] - tag legacy: [] - tag nist: ['SC-23 (5)'] - - allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex') - find_command = """ - for f in $(find -L /etc/ssl/certs -type f); do - openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}' - done - """ - describe command(find_command) do - its("stdout") { should cmp "" } - end -end - diff --git a/controls/V-238365.rb b/controls/V-238365.rb deleted file mode 100644 index aee9aef..0000000 --- a/controls/V-238365.rb +++ /dev/null @@ -1,75 +0,0 @@ -# encoding: UTF-8 - -control 'V-238365' do - title "Ubuntu operating system must implement cryptographic mechanisms to -prevent unauthorized modification of all information at rest." - desc "Operating systems handling data requiring \"data at rest\" protections -must employ cryptographic mechanisms to prevent unauthorized disclosure and -modification of the information at rest. - - Selection of a cryptographic mechanism is based on the need to protect the -integrity of organizational information. The strength of the mechanism is -commensurate with the security category and/or classification of the -information. Organizations have the flexibility to either encrypt all -information on storage devices (i.e., full disk encryption) or encrypt specific -data structures (e.g., files, records, or fields). - " - desc 'rationale', '' - desc 'check', " - If there is a documented and approved reason for not having data-at-rest -encryption, this requirement is Not Applicable. - - Verify the Ubuntu operating system prevents unauthorized disclosure or -modification of all information requiring at-rest protection by using disk -encryption. - - Determine the partition layout for the system with the following command: - - $ sudo fdisk -l - (..) - Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors - Units: sectors of 1 * 512 = 512 bytes - Sector size (logical/physical): 512 bytes / 512 bytes - I/O size (minimum/optimal): 512 bytes / 512 bytes - Disklabel type: gpt - Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB - - Device Start End Sectors Size Type - /dev/vda1 2048 4095 2048 1M BIOS boot - /dev/vda2 4096 2101247 2097152 1G Linux filesystem - /dev/vda3 2101248 31455231 29353984 14G Linux filesystem - (...) - - Verify that the system partitions are all encrypted with the following -command: - - $ more /etc/crypttab - - Every persistent disk partition present must have an entry in the file. - - If any partitions other than the boot partition or pseudo file systems -(such as /proc or /sys) are not listed, this is a finding. - " - desc 'fix', " - To encrypt an entire partition, dedicate a partition for encryption in the -partition layout. - - Note: Encrypting a partition in an already-installed system is more -difficult because it will need to be resized and existing partitions changed. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000404-GPOS-00183' - tag gid: 'V-238365' - tag rid: 'SV-238365r654270_rule' - tag stig_id: 'UBTU-20-010444' - tag fix_id: 'F-41534r654269_fix' - tag cci: ['CCI-002475'] - tag legacy: [] - tag nist: ['SC-28 (1)'] - - describe 'Not Applicable' do - skip 'Encryption of data at rest is handled by the IaaS' - end -end - diff --git a/controls/V-238366.rb b/controls/V-238366.rb deleted file mode 100644 index 90f66df..0000000 --- a/controls/V-238366.rb +++ /dev/null @@ -1,75 +0,0 @@ -# encoding: UTF-8 - -control 'V-238366' do - title "Ubuntu operating system must implement cryptographic mechanisms to -prevent unauthorized disclosure of all information at rest." - desc "Operating systems handling data requiring \"data at rest\" protections -must employ cryptographic mechanisms to prevent unauthorized disclosure and -modification of the information at rest. - - Selection of a cryptographic mechanism is based on the need to protect the -integrity of organizational information. The strength of the mechanism is -commensurate with the security category and/or classification of the -information. Organizations have the flexibility to either encrypt all -information on storage devices (i.e., full disk encryption) or encrypt specific -data structures (e.g., files, records, or fields). - " - desc 'rationale', '' - desc 'check', " - If there is a documented and approved reason for not having data-at-rest -encryption, this requirement is Not Applicable. - - Verify the Ubuntu operating system prevents unauthorized disclosure or -modification of all information requiring at-rest protection by using disk -encryption. - - Determine the partition layout for the system with the following command: - - $sudo fdisk -l - (..) - Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors - Units: sectors of 1 * 512 = 512 bytes - Sector size (logical/physical): 512 bytes / 512 bytes - I/O size (minimum/optimal): 512 bytes / 512 bytes - Disklabel type: gpt - Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB - - Device Start End Sectors Size Type - /dev/vda1 2048 4095 2048 1M BIOS boot - /dev/vda2 4096 2101247 2097152 1G Linux filesystem - /dev/vda3 2101248 31455231 29353984 14G Linux filesystem - (...) - - Verify that the system partitions are all encrypted with the following -command: - - $ more /etc/crypttab - - Every persistent disk partition present must have an entry in the file. - - If any partitions other than the boot partition or pseudo file systems -(such as /proc or /sys) are not listed, this is a finding. - " - desc 'fix', " - To encrypt an entire partition, dedicate a partition for encryption in the -partition layout. - - Note: Encrypting a partition in an already-installed system is more -difficult because it will need to be resized and existing partitions changed. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000405-GPOS-00184' - tag gid: 'V-238366' - tag rid: 'SV-238366r654273_rule' - tag stig_id: 'UBTU-20-010445' - tag fix_id: 'F-41535r654272_fix' - tag cci: ['CCI-002476'] - tag legacy: [] - tag nist: ['SC-28 (1)'] - - describe 'Not Applicable' do - skip 'Encryption of data at rest is handled by the IaaS' - end -end - diff --git a/controls/V-238367.rb b/controls/V-238367.rb deleted file mode 100644 index da63436..0000000 --- a/controls/V-238367.rb +++ /dev/null @@ -1,92 +0,0 @@ -# encoding: UTF-8 - -control 'V-238367' do - title "The Ubuntu operating system must configure the uncomplicated firewall -to rate-limit impacted network interfaces." - desc "Denial of service (DoS) is a condition when a resource is not -available for legitimate users. When this occurs, the organization either -cannot accomplish its mission or must operate at degraded capacity. - - This requirement addresses the configuration of the operating system to -mitigate the impact of DoS attacks that have occurred or are ongoing on system -availability. For each system, known and potential DoS attacks must be -identified and solutions for each type implemented. A variety of technologies -exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., -limiting processes or establishing memory partitions). Employing increased -capacity and bandwidth, combined with service redundancy, may reduce the -susceptibility to some DoS attacks. - " - desc 'rationale', '' - desc 'check', " - Verify an application firewall is configured to rate limit any connection -to the system. - - Check all the services listening to the ports with the following command: - - $ sudo ss -l46ut - - Netid State Recv-Q Send-Q - Local Address:Port Peer -Address:Port Process - tcp LISTEN 0 128 - [::]:ssh - [::]:* - - For each entry, verify that the Uncomplicated Firewall is configured to -rate limit the service ports with the following command: - - $ sudo ufw status - - Status: active - - To Action From - -- ------ ---- - 22/tcp LIMIT Anywhere - 22/tcp (v6) LIMIT Anywhere (v6) - - If any port with a state of \"LISTEN\" is not marked with the \"LIMIT\" -action, this is a finding. - " - desc 'fix', " - Configure the application firewall to protect against or limit the effects -of DoS attacks by ensuring the Ubuntu operating system is implementing -rate-limiting measures on impacted network interfaces. - - Check all the services listening to the ports with the following command: - - $ sudo ss -l46ut - - Netid State Recv-Q Send-Q - Local Address:Port Peer -Address:Port Process - tcp LISTEN 0 128 - [::]:ssh - [::]:* - - For each service with a port listening to connections, run the following -command, replacing \"[service]\" with the service that needs to be rate -limited. - - $ sudo ufw limit [service] - - Rate-limiting can also be done on an interface. An example of adding a -rate-limit on the eth0 interface follows: - - $ sudo ufw limit in on eth0 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000420-GPOS-00186' - tag gid: 'V-238367' - tag rid: 'SV-238367r654276_rule' - tag stig_id: 'UBTU-20-010446' - tag fix_id: 'F-41536r654275_fix' - tag cci: ['CCI-002385'] - tag legacy: [] - tag nist: ['SC-5'] - - describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do - skip 'Status listings checks must be preformed manually' - end -end - diff --git a/controls/V-238368.rb b/controls/V-238368.rb deleted file mode 100644 index dc1f26e..0000000 --- a/controls/V-238368.rb +++ /dev/null @@ -1,60 +0,0 @@ -# encoding: UTF-8 - -control 'V-238368' do - title "The Ubuntu operating system must implement non-executable data to -protect its memory from unauthorized code execution." - desc "Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can either be hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - " - desc 'rationale', '' - desc 'check', " - Verify the NX (no-execution) bit flag is set on the system with the -following commands: - - $ dmesg | grep -i \"execute disable\" - [ 0.000000] NX (Execute Disable) protection: active - - If \"dmesg\" does not show \"NX (Execute Disable) protection: active\", -check the cpuinfo settings with the following command: - - $ grep flags /proc/cpuinfo | grep -w nx | sort -u - flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc - - If \"flags\" does not contain the \"nx\" flag, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to enable NX. - - If \"nx\" is not showing up in \"/proc/cpuinfo\", and the system's BIOS -setup configuration permits toggling the No Execution bit, set it to \"enable\". - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000433-GPOS-00192' - tag gid: 'V-238368' - tag rid: 'SV-238368r654279_rule' - tag stig_id: 'UBTU-20-010447' - tag fix_id: 'F-41537r654278_fix' - tag cci: ['CCI-002824'] - tag legacy: [] - tag nist: ['SI-16'] - - options = { - assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/ - } - describe.one do - describe command('dmesg | grep NX').stdout.strip do - it { should match /.+(NX \(Execute Disable\) protection: active)/ } - end - describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do - it { should include 'nx' } - end - end -end - diff --git a/controls/V-238369.rb b/controls/V-238369.rb deleted file mode 100644 index 471dd41..0000000 --- a/controls/V-238369.rb +++ /dev/null @@ -1,68 +0,0 @@ -# encoding: UTF-8 - -control 'V-238369' do - title "The Ubuntu operating system must implement address space layout -randomization to protect its memory from unauthorized code execution." - desc "Some adversaries launch attacks with the intent of executing code in -non-executable regions of memory or in memory locations that are prohibited. -Security safeguards employed to protect memory include, for example, data -execution prevention and address space layout randomization. Data execution -prevention safeguards can either be hardware-enforced or software-enforced with -hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - " - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system implements address space layout -randomization (ASLR) with the following command: - - $ sudo sysctl kernel.randomize_va_space - - kernel.randomize_va_space = 2 - - If nothing is returned, verify the kernel parameter \"randomize_va_space\" -is set to \"2\" with the following command: - - $ cat /proc/sys/kernel/randomize_va_space - - 2 - - If \"kernel.randomize_va_space\" is not set to \"2\", this is a finding. - - Verify that a saved value of the \"kernel.randomize_va_space\" variable is -not defined. - - $ sudo egrep -R \"^kernel.randomize_va_space=[^2]\" /etc/sysctl.conf -/etc/sysctl.d - - If this returns a result, this is a finding. - " - desc 'fix', " - Remove the \"kernel.randomize_va_space\" entry found in the -\"/etc/sysctl.conf\" file or any file located in the \"/etc/sysctl.d/\" -directory. - - After the line has been removed, the kernel settings from all system -configuration files must be reloaded before any of the changes will take -effect. Run the following command to reload all of the kernel system -configuration files: - - $ sudo sysctl --system - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000433-GPOS-00193' - tag gid: 'V-238369' - tag rid: 'SV-238369r654282_rule' - tag stig_id: 'UBTU-20-010448' - tag fix_id: 'F-41538r654281_fix' - tag cci: ['CCI-002824'] - tag legacy: [] - tag nist: ['SI-16'] - - describe kernel_parameter('kernel.randomize_va_space') do - its('value') { should cmp 2 } - end -end - diff --git a/controls/V-238370.rb b/controls/V-238370.rb deleted file mode 100644 index 0c8358a..0000000 --- a/controls/V-238370.rb +++ /dev/null @@ -1,54 +0,0 @@ -# encoding: UTF-8 - -control 'V-238370' do - title "The Ubuntu operating system must be configured so that Advance Package -Tool (APT) removes all software components after updated versions have been -installed." - desc "Previous versions of software components that are not removed from the -information system after updates have been installed may be exploited by -adversaries. Some information technology products may remove older versions of -software automatically from the information system." - desc 'rationale', '' - desc 'check', " - Verify is configured to remove all software components after updated -versions have been installed with the following command: - - $ grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades - Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; - Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; - - If the \"::Remove-Unused-Dependencies\" and -\"::Remove-Unused-Kernel-Packages\" parameters are not set to \"true\" or are -missing or commented out, this is a finding. - " - desc 'fix', " - Configure APT to remove all software components after updated versions have -been installed. - - Add or updated the following options to the -\"/etc/apt/apt.conf.d/50unattended-upgrades\" file: - - Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; - Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000437-GPOS-00194' - tag gid: 'V-238370' - tag rid: 'SV-238370r654285_rule' - tag stig_id: 'UBTU-20-010449' - tag fix_id: 'F-41539r654284_fix' - tag cci: ['CCI-002617'] - tag legacy: [] - tag nist: ['SI-2 (6)'] - - describe directory('/etc/apt/apt.conf.d') do - it { should exist } - end - - describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do - it { should match /^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/ } - it { should match /^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/ } - end -end - diff --git a/controls/V-238371.rb b/controls/V-238371.rb deleted file mode 100644 index c33890e..0000000 --- a/controls/V-238371.rb +++ /dev/null @@ -1,56 +0,0 @@ -# encoding: UTF-8 - -control 'V-238371' do - title "The Ubuntu operating system must use a file integrity tool to verify -correct operation of all security functions." - desc "Without verification of the security functions, security functions may -not operate correctly and the failure may go unnoticed. Security function is -defined as the hardware, software, and/or firmware of the information system -responsible for enforcing the system security policy and supporting the -isolation of code and data on which the protection is based. Security -functionality includes, but is not limited to, establishing system accounts, -configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - - This requirement applies to the Ubuntu operating system performing security -function verification/testing and/or systems and environments that require this -functionality. - " - desc 'rationale', '' - desc 'check', " - Verify that Advanced Intrusion Detection Environment (AIDE) is installed -and verifies the correct operation of all security functions. - - Check that the AIDE package is installed with the following command: - - $ sudo dpkg -l | grep aide - ii aide 0.16.1-1build2 amd64 Advanced Intrusion Detection -Environment - static binary - - If AIDE is not installed, ask the System Administrator how file integrity -checks are performed on the system. - - If no application is installed to perform integrity checks, this is a -finding. - " - desc 'fix', " - Install the AIDE package by running the following command: - - $ sudo apt-get install aide - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000445-GPOS-00199' - tag gid: 'V-238371' - tag rid: 'SV-238371r654288_rule' - tag stig_id: 'UBTU-20-010450' - tag fix_id: 'F-41540r654287_fix' - tag cci: ['CCI-002696'] - tag legacy: [] - tag nist: ['SI-6 a'] - - describe package('aide') do - it { should be_installed } - end -end - diff --git a/controls/V-238372.rb b/controls/V-238372.rb deleted file mode 100644 index de9d30f..0000000 --- a/controls/V-238372.rb +++ /dev/null @@ -1,56 +0,0 @@ -# encoding: UTF-8 - -control 'V-238372' do - title "The Ubuntu operating system must notify designated personnel if -baseline configurations are changed in an unauthorized manner. The file -integrity tool must notify the System Administrator when changes to the -baseline configuration or anomalies in the operation of any security functions -are discovered." - desc "Unauthorized changes to the baseline configuration could make the -system vulnerable to various attacks or allow unauthorized access to the Ubuntu -operating system. Changes to Ubuntu operating system configurations can have -unintended side effects, some of which may be relevant to security. - - Detecting such changes and providing an automated response can help avoid -unintended, negative consequences that could ultimately affect the security -state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO -and SAs must be notified via email and/or monitoring system trap when there is -an unauthorized modification of a configuration item. - " - desc 'rationale', '' - desc 'check', " - Verify that Advanced Intrusion Detection Environment (AIDE) notifies the -System Administrator - when anomalies in the operation of any security functions are discovered -with the following command: - - $ sudo grep SILENTREPORTS /etc/default/aide - - SILENTREPORTS=no - - If SILENTREPORTS is uncommented and set to \"yes\", this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to notify designated personnel if -baseline configurations are changed in an unauthorized manner. - - Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file -with a value of \"no\" if it does not already exist. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000447-GPOS-00201' - tag gid: 'V-238372' - tag rid: 'SV-238372r654318_rule' - tag stig_id: 'UBTU-20-010451' - tag fix_id: 'F-41541r654290_fix' - tag cci: ['CCI-002702'] - tag legacy: [] - tag nist: ['SI-6 d'] - - describe file('/etc/default/aide') do - it { should exist } - its('content') { should match '^SILENTREPORTS=no$' } - end -end - diff --git a/controls/V-238373.rb b/controls/V-238373.rb deleted file mode 100644 index fce677b..0000000 --- a/controls/V-238373.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control 'V-238373' do - title "The Ubuntu operating system must display the date and time of the last -successful account logon upon logon." - desc "Configuration settings are the set of parameters that can be changed -in hardware, software, or firmware components of the system that affect the -security posture and/or functionality of the system. Security-related -parameters are those parameters impacting the security state of the system, -including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example: registry -settings; account, file, directory permission settings; and settings for -functions, ports, protocols, services, and remote connections." - desc 'rationale', '' - desc 'check', " - Verify users are provided with feedback on when account accesses last -occurred. - - Check that \"pam_lastlog\" is used and not silent with the following -command: - - $ grep pam_lastlog /etc/pam.d/login - - session required pam_lastlog.so showfailed - - If \"pam_lastlog\" is missing from \"/etc/pam.d/login\" file, is not -\"required\", or the \"silent\" option is present, this is a finding. - " - desc 'fix', " - Configure the Ubuntu operating system to provide users with feedback on -when account accesses last occurred by setting the required configuration -options in \"/etc/pam.d/login\". - - Add the following line to the top of \"/etc/pam.d/login\": - - session required pam_lastlog.so showfailed - " - impact 0.3 - tag severity: 'low' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-238373' - tag rid: 'SV-238373r654294_rule' - tag stig_id: 'UBTU-20-010453' - tag fix_id: 'F-41542r654293_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe command('grep pam_lastlog /etc/pam.d/login') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } - its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } - end -end - diff --git a/controls/V-238374.rb b/controls/V-238374.rb deleted file mode 100644 index 3e8a632..0000000 --- a/controls/V-238374.rb +++ /dev/null @@ -1,50 +0,0 @@ -# encoding: UTF-8 - -control 'V-238374' do - title 'The Ubuntu operating system must have an application firewall enabled.' - desc "Firewalls protect computers from network attacks by blocking or -limiting access to open network ports. Application firewalls limit which -applications are allowed to communicate over the network." - desc 'rationale', '' - desc 'check', " - Verify the Uncomplicated Firewall is enabled on the system by running the -following command: - - $ systemctl status ufw.service | grep -i \"active:\" - - Active: active (exited) since Mon 2016-10-17 12:30:29 CDT; 1s ago - - If the above command returns the status as \"inactive\", this is a finding. - - If the Uncomplicated Firewall is not installed, ask the System -Administrator if another application firewall is installed. If no application -firewall is installed, this is a finding. - " - desc 'fix', " - Enable the Uncomplicated Firewall by using the following command: - - $ sudo systemctl enable ufw.service - - If the Uncomplicated Firewall is not currently running on the system, start -it with the following command: - - $ sudo systemctl start ufw.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00232' - tag gid: 'V-238374' - tag rid: 'SV-238374r654297_rule' - tag stig_id: 'UBTU-20-010454' - tag fix_id: 'F-41543r654296_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe service('ufw') do - it { should be_installed } - it { should be_enabled } - it { should be_running } - end -end - diff --git a/controls/V-238375.rb b/controls/V-238375.rb deleted file mode 100644 index 02c7920..0000000 --- a/controls/V-238375.rb +++ /dev/null @@ -1,103 +0,0 @@ -# encoding: UTF-8 - -control 'V-238375' do - title "The Ubuntu operating system must disable all wireless network -adapters." - desc "Without protection of communications with wireless peripherals, -confidentiality and integrity may be compromised because unprotected -communications can be intercepted and either read, altered, or used to -compromise the operating system. - - This requirement applies to wireless peripheral technologies (e.g., -wireless mice, keyboards, displays, etc.) used with an operating system. -Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing -Devices and Near Field Communications [NFC]) present a unique challenge by -creating an open, unsecured port on a computer. Wireless peripherals must meet -DoD requirements for wireless data transmission and be approved for use by the -AO. Even though some wireless peripherals, such as mice and pointing devices, -do not ordinarily carry information that need to be protected, modification of -communications with these wireless peripherals may be used to compromise the -operating system. Communication paths outside the physical protection of a -controlled boundary are exposed to the possibility of interception and -modification. - - Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing -physical barriers to wireless radio frequencies) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are -employed, then logical means (cryptography) do not have to be employed, and -vice versa. If the wireless peripheral is only passing telemetry data, -encryption of the data may not be required. - " - desc 'rationale', '' - desc 'check', " - Note: This requirement is Not Applicable for systems that do not have -physical wireless network radios. - - Verify that there are no wireless interfaces configured on the system with -the following command: - - $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename - - If a wireless interface is configured and has not been documented and -approved by the ISSO, this is a finding. - " - desc 'fix', " - List all the wireless interfaces with the following command: - - $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename - - For each interface, configure the system to disable wireless network -interfaces with the following command: - - $ sudo ifdown - - For each interface listed, find their respective module with the following -command: - - $ basename $(readlink -f /sys/class/net//device/driver) - - where must be substituted by the actual interface name. - - Create a file in the \"/etc/modprobe.d\" directory and for each module, add -the following line: - - install /bin/true - - For each module from the system, execute the following command to remove -it: - - $ sudo modprobe -r - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000481-GPOS-000481' - tag gid: 'V-238375' - tag rid: 'SV-238375r654300_rule' - tag stig_id: 'UBTU-20-010455' - tag fix_id: 'F-41544r654299_fix' - tag cci: ['CCI-002418'] - tag legacy: [] - tag nist: ['SC-8'] - - allowed_network_interfaces = input('allowed_network_interfaces') - ifconfig_output = command('ifconfig -s | cut -d " " -f 1').stdout.split("\n") - system_network_interfaces = ifconfig_output.drop(1) - - other_network_interfaces = system_network_interfaces - allowed_network_interfaces - - if other_network_interfaces.count > 0 - other_network_interfaces.each do |net_int| - describe ('Interface: ' + net_int + ' not permitted') do - subject { net_int } - it { should be_empty } - end - end - else - describe 'Number of wireless network interfaces found' do - subject { other_network_interfaces } - its('count') { should eq 0 } - end - end -end - diff --git a/controls/V-238376.rb b/controls/V-238376.rb deleted file mode 100644 index 5a45cec..0000000 --- a/controls/V-238376.rb +++ /dev/null @@ -1,81 +0,0 @@ -# encoding: UTF-8 - -control 'V-238376' do - title "The Ubuntu operating system must have system commands set to a mode of -0755 or less permissive." - desc "If the Ubuntu operating system were to allow any user to make changes -to software libraries, then those changes might be implemented without -undergoing the appropriate testing and approvals that are part of a robust -change management process. - - This requirement applies to Ubuntu operating systems with software -libraries that are accessible and configurable, as in the case of interpreted -languages. Software libraries also include privileged programs which execute -with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of -initiating changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands contained in the following directories have mode -0755 or less permissive: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Check that the system command files have mode 0755 or less permissive with -the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin --perm /022 -type f -exec stat -c \"%n %a\" '{}' \\; - - If any files are found to be group-writable or world-writable, this is a -finding. - " - desc 'fix', " - Configure the system commands to be protected from unauthorized access. Run -the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin --perm /022 -type f -exec chmod 755 '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238376' - tag rid: 'SV-238376r654303_rule' - tag stig_id: 'UBTU-20-010456' - tag fix_id: 'F-41545r654302_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } - end - end - else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238377.rb b/controls/V-238377.rb deleted file mode 100644 index d8d6556..0000000 --- a/controls/V-238377.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control 'V-238377' do - title 'The Ubuntu operating system must have system commands owned by root.' - desc "If the Ubuntu operating system were to allow any user to make changes -to software libraries, then those changes might be implemented without -undergoing the appropriate testing and approvals that are part of a robust -change management process. - - This requirement applies to Ubuntu operating systems with software -libraries that are accessible and configurable, as in the case of interpreted -languages. Software libraries also include privileged programs which execute -with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of -initiating changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands contained in the following directories are owned -by root: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Use the following command for the check: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --user root -type f -exec stat -c \"%n %U\" '{}' \\; - - If any system commands are returned, this is a finding. - " - desc 'fix', " - Configure the system commands and their respective parent directories to be -protected from unauthorized access. Run the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --user root -type f -exec chown root '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238377' - tag rid: 'SV-238377r654306_rule' - tag stig_id: 'UBTU-20-010457' - tag fix_id: 'F-41546r654305_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - its("owner") { should cmp "root" } - end - end - else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238378.rb b/controls/V-238378.rb deleted file mode 100644 index ddd286e..0000000 --- a/controls/V-238378.rb +++ /dev/null @@ -1,80 +0,0 @@ -# encoding: UTF-8 - -control 'V-238378' do - title "The Ubuntu operating system must have system commands group-owned by -root." - desc "If the Ubuntu operating system were to allow any user to make changes -to software libraries, then those changes might be implemented without -undergoing the appropriate testing and approvals that are part of a robust -change management process. - - This requirement applies to Ubuntu operating systems with software -libraries that are accessible and configurable, as in the case of interpreted -languages. Software libraries also include privileged programs which execute -with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of -initiating changes, including upgrades and modifications. - " - desc 'rationale', '' - desc 'check', " - Verify the system commands contained in the following directories are -group-owned by root: - - /bin - /sbin - /usr/bin - /usr/sbin - /usr/local/bin - /usr/local/sbin - - Run the check with the following command: - - $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -! -group root -type f -exec stat -c \"%n %G\" '{}' \\; - - If any system commands are returned that are not Set Group ID up on -execution (SGID) files and owned by a privileged account, this is a finding. - " - desc 'fix', " - Configure the system commands to be protected from unauthorized access. Run -the following command: - - $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! --group root -type f ! -perm /2000 -exec chgrp root '{}' \\; - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-OS-000259-GPOS-00100' - tag gid: 'V-238378' - tag rid: 'SV-238378r654309_rule' - tag stig_id: 'UBTU-20-010458' - tag fix_id: 'F-41547r654308_fix' - tag cci: ['CCI-001499'] - tag legacy: [] - tag nist: ['CM-5 (6)'] - - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f").stdout.strip.split("\n").entries - valid_system_commands = Set[] - - if system_commands.count > 0 - system_commands.each do |sys_cmd| - if file(sys_cmd).exist? - valid_system_commands = valid_system_commands << sys_cmd - end - end - end - - if valid_system_commands.count > 0 - valid_system_commands.each do |val_sys_cmd| - describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } - end - end - else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account" do - subject { valid_system_commands } - its("count") { should eq 0 } - end - end -end - diff --git a/controls/V-238379.rb b/controls/V-238379.rb deleted file mode 100644 index 313cb50..0000000 --- a/controls/V-238379.rb +++ /dev/null @@ -1,64 +0,0 @@ -# encoding: UTF-8 - -control 'V-238379' do - title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key -sequence if a graphical user interface is installed." - desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot. In the graphical -environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is -reduced because the user will be prompted before any action is taken." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is not configured to reboot the system -when Ctrl-Alt-Delete is pressed when using a graphical user interface. - - Check that the \"logout\" target is not bound to an action with the -following command: - - # grep logout /etc/dconf/db/local.d/* - - logout='' - - If the \"logout\" key is bound to an action, is commented out, or is -missing, this is a finding. - " - desc 'fix', " - Configure the system to disable the Ctrl-Alt-Delete sequence when using a -graphical user interface by creating or editing the -/etc/dconf/db/local.d/00-disable-CAD file. - - Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical -user interface: - - [org/gnome/settings-daemon/plugins/media-keys] - logout='' - - Update the dconf settings: - - # dconf update - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-238379' - tag rid: 'SV-238379r654312_rule' - tag stig_id: 'UBTU-20-010459' - tag fix_id: 'F-41548r654311_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - xorg_status = command('which Xorg').exit_status - if xorg_status == 0 - describe command("grep -R logout='' /etc/dconf/db/local.d/").stdout.strip.split("\n").entries do - its('count') { should_not eq 0 } - end - else - describe command('which Xorg').exit_status do - skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) - end - end -end - diff --git a/controls/V-238380.rb b/controls/V-238380.rb deleted file mode 100644 index 3ff72ce..0000000 --- a/controls/V-238380.rb +++ /dev/null @@ -1,52 +0,0 @@ -# encoding: UTF-8 - -control 'V-238380' do - title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key -sequence." - desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the -console, can reboot the system. If accidentally pressed, as could happen in the -case of a mixed OS environment, this can create the risk of short-term loss of -availability of systems due to unintentional reboot." - desc 'rationale', '' - desc 'check', " - Verify the Ubuntu operating system is not configured to reboot the system -when Ctrl-Alt-Delete is pressed. - - Check that the \"ctrl-alt-del.target\" (otherwise also known as -reboot.target) is not active with the following command: - - # systemctl status ctrl-alt-del.target - reboot.target - Reboot - Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled) - Active: inactive (dead) - Docs: man:systemd.special(7) - - If the \"ctrl-alt-del.target\" is active, this is a finding. - " - desc 'fix', " - Configure the system to disable the Ctrl-Alt-Delete sequence for the -command line with the following command: - - # sudo systemctl mask ctrl-alt-del.target - - Reload the daemon to take effect: - - # sudo systemctl daemon-reload - " - impact 0.7 - tag severity: 'high' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-238380' - tag rid: 'SV-238380r654315_rule' - tag stig_id: 'UBTU-20-010460' - tag fix_id: 'F-41549r654314_fix' - tag cci: ['CCI-000366'] - tag legacy: [] - tag nist: ['CM-6 b'] - - describe service('ctrl-alt-del.target') do - it { should_not be_running } - it { should_not be_enabled } - end -end - From 3bafbd78d977935de19b8279feac6dabc7123d97 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 31 Oct 2022 12:37:33 -0400 Subject: [PATCH 002/100] added logic from main branch Signed-off-by: HackerShark --- controls/SV-238196.rb | 15 +++++++++++++++ controls/SV-238197.rb | 12 ++++++++++++ controls/SV-238198.rb | 8 ++++++++ controls/SV-238199.rb | 11 +++++++++++ controls/SV-238200.rb | 4 ++++ controls/SV-238201.rb | 14 ++++++++++++++ controls/SV-238202.rb | 4 ++++ controls/SV-238203.rb | 4 ++++ controls/SV-238204.rb | 4 ++++ controls/SV-238205.rb | 11 +++++++++++ controls/SV-238206.rb | 19 +++++++++++++++++++ controls/SV-238207.rb | 11 +++++++++++ controls/SV-238208.rb | 4 ++++ controls/SV-238209.rb | 4 ++++ controls/SV-238210.rb | 8 ++++++++ controls/SV-238211.rb | 4 ++++ controls/SV-238212.rb | 4 ++++ controls/SV-238213.rb | 4 ++++ controls/SV-238214.rb | 31 +++++++++++++++++++++++++++++++ controls/SV-238215.rb | 18 ++++++++++++++++++ controls/SV-238216.rb | 8 ++++++++ controls/SV-238217.rb | 10 +++++++++- controls/SV-238218.rb | 5 +++++ controls/SV-238219.rb | 4 ++++ controls/SV-238220.rb | 4 ++++ controls/SV-238221.rb | 14 ++++++++++++++ controls/SV-238222.rb | 14 ++++++++++++++ controls/SV-238223.rb | 14 ++++++++++++++ controls/SV-238224.rb | 14 ++++++++++++++ controls/SV-238225.rb | 14 ++++++++++++++ controls/SV-238226.rb | 14 ++++++++++++++ controls/SV-238227.rb | 14 ++++++++++++++ controls/SV-238228.rb | 12 ++++++++++++ controls/SV-238229.rb | 13 +++++++++++++ controls/SV-238230.rb | 4 ++++ controls/SV-238231.rb | 4 ++++ controls/SV-238232.rb | 12 ++++++++++++ controls/SV-238233.rb | 17 +++++++++++++++++ controls/SV-238234.rb | 9 +++++++++ controls/SV-238235.rb | 10 ++++++++++ controls/SV-238236.rb | 4 ++++ controls/SV-238237.rb | 15 +++++++++++++++ controls/SV-238238.rb | 24 ++++++++++++++++++++++++ controls/SV-238239.rb | 23 +++++++++++++++++++++++ controls/SV-238240.rb | 23 +++++++++++++++++++++++ controls/SV-238241.rb | 23 +++++++++++++++++++++++ controls/SV-238242.rb | 23 +++++++++++++++++++++++ controls/SV-238243.rb | 8 ++++++++ controls/SV-238244.rb | 5 +++++ controls/SV-238245.rb | 14 ++++++++++++++ controls/SV-238246.rb | 14 ++++++++++++++ controls/SV-238247.rb | 14 ++++++++++++++ controls/SV-238248.rb | 14 ++++++++++++++ controls/SV-238249.rb | 11 +++++++++++ controls/SV-238250.rb | 11 +++++++++++ controls/SV-238251.rb | 11 +++++++++++ controls/SV-238252.rb | 25 +++++++++++++++++++++++++ controls/SV-238253.rb | 25 +++++++++++++++++++++++++ controls/SV-238254.rb | 25 +++++++++++++++++++++++++ controls/SV-238255.rb | 25 +++++++++++++++++++++++++ controls/SV-238256.rb | 25 +++++++++++++++++++++++++ controls/SV-238257.rb | 25 +++++++++++++++++++++++++ controls/SV-238258.rb | 11 +++++++++++ controls/SV-238264.rb | 13 +++++++++++++ controls/SV-238268.rb | 15 ++++++++++++++- controls/SV-238271.rb | 25 +++++++++++++++++++++++++ controls/SV-238277.rb | 23 +++++++++++++++++++++++ controls/SV-238278.rb | 24 ++++++++++++++++++++++++ controls/SV-238279.rb | 23 +++++++++++++++++++++++ controls/SV-238280.rb | 23 +++++++++++++++++++++++ controls/SV-238281.rb | 23 +++++++++++++++++++++++ controls/SV-238282.rb | 23 +++++++++++++++++++++++ controls/SV-238283.rb | 23 +++++++++++++++++++++++ controls/SV-238284.rb | 23 +++++++++++++++++++++++ controls/SV-238285.rb | 24 ++++++++++++++++++++++++ controls/SV-238286.rb | 24 ++++++++++++++++++++++++ controls/SV-238287.rb | 24 ++++++++++++++++++++++++ controls/SV-238288.rb | 24 ++++++++++++++++++++++++ controls/SV-238289.rb | 23 +++++++++++++++++++++++ controls/SV-238290.rb | 23 +++++++++++++++++++++++ controls/SV-238291.rb | 23 +++++++++++++++++++++++ controls/SV-238292.rb | 23 +++++++++++++++++++++++ controls/SV-238293.rb | 23 +++++++++++++++++++++++ controls/SV-238294.rb | 23 +++++++++++++++++++++++ controls/SV-238295.rb | 11 +++++++++++ controls/SV-238297.rb | 11 +++++++++++ controls/SV-238298.rb | 9 +++++++++ controls/SV-238299.rb | 8 ++++++++ controls/SV-238300.rb | 8 ++++++++ controls/SV-238301.rb | 8 ++++++++ controls/SV-238302.rb | 8 ++++++++ controls/SV-238303.rb | 39 +++++++++++++++++++++++++++++++++++++++ controls/SV-238304.rb | 11 +++++++++++ controls/SV-238305.rb | 23 +++++++++++++++++++++++ controls/SV-238306.rb | 20 ++++++++++++++++++++ controls/SV-238307.rb | 29 +++++++++++++++++++++++++++++ controls/SV-238308.rb | 6 ++++++ controls/SV-238309.rb | 24 ++++++++++++++++++++++++ controls/SV-238310.rb | 11 +++++++++++ controls/SV-238315.rb | 24 ++++++++++++++++++++++++ controls/SV-238316.rb | 24 ++++++++++++++++++++++++ controls/SV-238317.rb | 24 ++++++++++++++++++++++++ controls/SV-238318.rb | 23 +++++++++++++++++++++++ controls/SV-238319.rb | 23 +++++++++++++++++++++++ controls/SV-238320.rb | 23 +++++++++++++++++++++++ controls/SV-238321.rb | 14 ++++++++++++++ controls/SV-238323.rb | 4 ++++ controls/SV-238324.rb | 15 +++++++++++++++ controls/SV-238325.rb | 4 ++++ controls/SV-238326.rb | 4 ++++ controls/SV-238327.rb | 4 ++++ controls/SV-238328.rb | 13 ++++++++++++- controls/SV-238329.rb | 9 +++++++++ controls/SV-238330.rb | 15 +++++++++++++++ controls/SV-238331.rb | 5 +++++ controls/SV-238332.rb | 15 +++++++++++++++ controls/SV-238333.rb | 4 ++++ controls/SV-238334.rb | 15 +++++++++++++++ controls/SV-238335.rb | 4 ++++ controls/SV-238336.rb | 9 +++++++++ controls/SV-238337.rb | 7 +++++++ controls/SV-238338.rb | 4 ++++ controls/SV-238339.rb | 4 ++++ controls/SV-238340.rb | 4 ++++ controls/SV-238341.rb | 4 ++++ controls/SV-238342.rb | 4 ++++ controls/SV-238343.rb | 4 ++++ controls/SV-238344.rb | 25 +++++++++++++++++++++++++ controls/SV-238345.rb | 25 +++++++++++++++++++++++++ controls/SV-238346.rb | 25 +++++++++++++++++++++++++ controls/SV-238347.rb | 19 +++++++++++++++++++ controls/SV-238348.rb | 19 +++++++++++++++++++ controls/SV-238349.rb | 19 +++++++++++++++++++ controls/SV-238350.rb | 19 +++++++++++++++++++ controls/SV-238351.rb | 19 +++++++++++++++++++ controls/SV-238352.rb | 19 +++++++++++++++++++ controls/SV-238353.rb | 6 ++++++ controls/SV-238354.rb | 4 ++++ controls/SV-238355.rb | 6 ++++++ controls/SV-238356.rb | 29 +++++++++++++++++++++++++++++ controls/SV-238357.rb | 15 +++++++++++++++ controls/SV-238358.rb | 5 +++++ controls/SV-238359.rb | 19 +++++++++++++++++++ controls/SV-238360.rb | 6 ++++++ controls/SV-238361.rb | 5 +++++ controls/SV-238362.rb | 14 ++++++++++++++ controls/SV-238363.rb | 14 ++++++++++++++ controls/SV-238364.rb | 10 ++++++++++ controls/SV-238365.rb | 4 ++++ controls/SV-238366.rb | 4 ++++ controls/SV-238367.rb | 4 ++++ controls/SV-238368.rb | 13 ++++++++++++- controls/SV-238369.rb | 4 ++++ controls/SV-238370.rb | 9 +++++++++ controls/SV-238371.rb | 4 ++++ controls/SV-238372.rb | 5 +++++ controls/SV-238373.rb | 6 ++++++ controls/SV-238374.rb | 6 ++++++ controls/SV-238376.rb | 24 ++++++++++++++++++++++++ controls/SV-238377.rb | 24 ++++++++++++++++++++++++ controls/SV-238378.rb | 24 ++++++++++++++++++++++++ controls/SV-238379.rb | 11 +++++++++++ controls/SV-238380.rb | 5 +++++ 163 files changed, 2271 insertions(+), 4 deletions(-) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index 20fa35a..808d44e 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -52,4 +52,19 @@ tag fix_id: "F-41365r653762_fix " tag cci: ["CCI-000016"] tag nist: ["AC-2 (2)"] + + temporary_accounts = input('temporary_accounts') + + if temporary_accounts.empty? + describe 'Temporary accounts' do + subject { temporary_accounts } + it { should be_empty } + end + else + temporary_accounts.each do |acct| + describe command("chage -l #{acct} | grep 'Account expires'") do + its('stdout.strip') { should_not match /:\s*never/ } + end + end + end end \ No newline at end of file diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index 0887124..be927ac 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -96,4 +96,16 @@ tag fix_id: "F-41366r653765_fix " tag cci: ["CCI-000048"] tag nist: ["AC-8 a"] + + xorg_status = command('which Xorg').exit_status + if xorg_status == 0 + describe 'banner-message-enable must be set to true' do + subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') } + its('stdout') { should match /(banner-message-enable).+=.+(true)/ } + end + else + describe command('which Xorg').exit_status do + skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) + end + end end \ No newline at end of file diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index f877588..28ec3c3 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -120,4 +120,12 @@ tag fix_id: "F-41367r653768_fix " tag cci: ["CCI-000048"] tag nist: ["AC-8 a"] + #TOODO +# banner_text = input('banner_text') +# clean_banner = banner_text.gsub(/[\r\n\s]/, '') +# gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults" +# describe 'The SSHD Banner is set to the standard banner and has the correct text' do +# subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} +# it { should cmp clean_banner } +# end end \ No newline at end of file diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index 6c4d992..df20703 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -53,4 +53,15 @@ tag fix_id: "F-41368r653771_fix " tag cci: ["CCI-000056","CCI-000057"] tag nist: ["AC-11 b","AC-11 a"] + + xorg_status = command('which Xorg').exit_status + if xorg_status == 0 + describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do + its('stdout') { should cmp 'true'} + end + else + describe command('which Xorg').exit_status do + skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) + end + end end \ No newline at end of file diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb index c0ab3cb..d9ee217 100644 --- a/controls/SV-238200.rb +++ b/controls/SV-238200.rb @@ -34,4 +34,8 @@ tag fix_id: "F-41369r653774_fix " tag cci: ["CCI-000058","CCI-000060"] tag nist: ["AC-11 a","AC-11 (1)"] + + describe package('vlock') do + it { should be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index 133ecc4..b84d519 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -31,4 +31,18 @@ tag fix_id: "F-41370r653777_fix " tag cci: ["CCI-000187"] tag nist: ["IA-5 (2) (a) (2)"] + + config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('use_mappers') { should cmp 'pwent' } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb index 70a6a4b..2db4e4e 100644 --- a/controls/SV-238202.rb +++ b/controls/SV-238202.rb @@ -32,4 +32,8 @@ tag fix_id: "F-41371r653780_fix " tag cci: ["CCI-000198"] tag nist: ["IA-5 (1) (d)"] + + describe login_defs do + its('PASS_MIN_DAYS') { should >= '1' } + end end \ No newline at end of file diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb index 38003d1..0bbd8af 100644 --- a/controls/SV-238203.rb +++ b/controls/SV-238203.rb @@ -31,4 +31,8 @@ tag fix_id: "F-41372r653783_fix " tag cci: ["CCI-000199"] tag nist: ["IA-5 (1) (d)"] + + describe login_defs do + its('PASS_MAX_DAYS') { should cmp <= 60 } + end end \ No newline at end of file diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index 42bfc1b..67b495d 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -68,4 +68,8 @@ tag fix_id: "F-41373r832935_fix " tag cci: ["CCI-000213"] tag nist: ["AC-3"] + + describe file('/boot/grub/grub.cfg') do + its('content') { should match '^password_pbkdf2' } + end end \ No newline at end of file diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb index 0aa6582..5b09217 100644 --- a/controls/SV-238205.rb +++ b/controls/SV-238205.rb @@ -40,4 +40,15 @@ tag fix_id: "F-41374r653789_fix " tag cci: ["CCI-000764","CCI-000804"] tag nist: ["IA-2","IA-8"] + + user_list = command("awk -F \":\" 'list[$3]++{print $1}' /etc/passwd").stdout.split("\n") + findings = Set[] + + user_list.each do |user_name| + findings = findings << user_name + end + describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do + subject { findings.to_a } + it { should be_empty } + end end \ No newline at end of file diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb index 5eda050..6efc477 100644 --- a/controls/SV-238206.rb +++ b/controls/SV-238206.rb @@ -48,4 +48,23 @@ tag fix_id: "F-41375r653792_fix " tag cci: ["CCI-001084"] tag nist: ["SC-3"] + + sudo_accounts = input('sudo_accounts') + + if sudo_accounts.count > 0 + sudo_accounts.each do |account| + describe group('sudo') do + its('members') { should include account } + end + end + else + describe.one do + describe group('sudo') do + its('members') { should be_nil } + end + describe group('sudo') do + its('members') { should be_empty } + end + end + end end \ No newline at end of file diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index 9b80e6a..d6b2ef3 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -65,4 +65,15 @@ tag fix_id: "F-41376r653795_fix " tag cci: ["CCI-002361"] tag nist: ["AC-12"] + + profile_files=command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries + timeout=input("tmout").to_s + + describe.one do + profile_files.each do |pf| + describe file(pf.strip) do + its('content') { should match "^TMOUT=#{timeout}$" } + end + end + end end \ No newline at end of file diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index a282df4..f900820 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -30,4 +30,8 @@ tag fix_id: "F-41377r653798_fix " tag cci: ["CCI-002038"] tag nist: ["IA-11"] + + describe command("egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers") do + its('stdout.strip') { should be_empty } + end end \ No newline at end of file diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb index cdbca04..99bc842 100644 --- a/controls/SV-238209.rb +++ b/controls/SV-238209.rb @@ -37,4 +37,8 @@ tag fix_id: "F-41378r653801_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe login_defs do + its('UMASK') { should eq '077' } + end end \ No newline at end of file diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 61f07ff..a33a1f2 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -70,4 +70,12 @@ tag fix_id: "F-41379r653804_fix " tag cci: ["CCI-000765","CCI-000766","CCI-000767","CCI-000768"] tag nist: ["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"] + + describe package('libpam-pkcs11') do + it { should be_installed } + end + + describe sshd_config do + its('PubkeyAuthentication') { should cmp 'yes' } + end end \ No newline at end of file diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 2ccff81..faa3dbc 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -42,4 +42,8 @@ tag fix_id: "F-41380r653807_fix " tag cci: ["CCI-000877"] tag nist: ["MA-4 c"] + + describe sshd_config do + its('UsePAM') { should cmp 'yes' } + end end \ No newline at end of file diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index 973a87c..10d3135 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -60,4 +60,8 @@ tag fix_id: "F-41381r653810_fix " tag cci: ["CCI-000879"] tag nist: ["MA-4 e"] + + describe sshd_config do + its('ClientAliveCountMax') { should cmp 1 } + end end \ No newline at end of file diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index 59d5a3b..94b859a 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -53,4 +53,8 @@ tag fix_id: "F-41382r653813_fix " tag cci: ["CCI-001133"] tag nist: ["SC-10"] + + describe sshd_config do + its('ClientAliveInterval') { should cmp 600 } + end end \ No newline at end of file diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 247f488..af90f18 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -158,4 +158,35 @@ tag fix_id: "F-41383r653816_fix " tag cci: ["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"] tag nist: ["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"] + + banner_text = input('banner_text') + banner_files = [sshd_config.banner].flatten + + banner_files.each do |banner_file| + if banner_file.nil? + describe 'The SSHD Banner is not set' do + subject { banner_file.nil? } + it { should be false } + end + end + if !banner_file.nil? && !banner_file.match(/none/i).nil? + describe 'The SSHD Banner is disabled' do + subject { banner_file.match(/none/i).nil? } + it { should be true } + end + end + if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist? + describe 'The SSHD Banner is set, but, the file does not exist' do + subject { file(banner_file).exist? } + it { should be true } + end + end + next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist? + + describe 'The SSHD Banner is set to the standard banner and has the correct text' do + clean_banner = banner_text.gsub(/[\r\n\s]/, '') + subject { file(banner_file).content.gsub(/[\r\n\s]/, '') } + it { should cmp clean_banner } + end + end end \ No newline at end of file diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index a4ab40c..c52ee5d 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -69,4 +69,22 @@ tag fix_id: "F-41384r653819_fix " tag cci: ["CCI-002418","CCI-002420","CCI-002422"] tag nist: ["SC-8","SC-8 (2)"] + + describe package('openssh-client') do + it { should be_installed } + end + + describe package('openssh-server') do + it { should be_installed } + end + + describe package('openssh-sftp-server') do + it { should be_installed } + end + + describe service('sshd') do + it { should be_enabled } + it { should be_installed } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 8f2bde8..4cae018 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -63,4 +63,12 @@ tag fix_id: "F-41385r653822_fix " tag cci: ["CCI-001453","CCI-002421","CCI-002890"] tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] + + @macs_array = inspec.sshd_config.params['macs'] + + @macs_array = @macs_array.first.split(',') unless @macs_array.nil? + + describe @macs_array do + it { should be_in %w[hmac-sha2-256 hmac-sha2-512] } + end end \ No newline at end of file diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index e9ecb28..324fec4 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -69,4 +69,12 @@ tag fix_id: "F-41386r653825_fix " tag cci: ["CCI-000068","CCI-002421","CCI-003123"] tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] -end \ No newline at end of file + + @ciphers_array = inspec.sshd_config.params['ciphers'] + + @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? + + describe @ciphers_array do + it { should be_in %w[ aes256-ctr aes192-ctr aes128-ctr ] } + end +end diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index f6474e8..405956e 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -41,4 +41,9 @@ tag fix_id: "F-41387r653828_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe sshd_config do + its('PermitEmptyPasswords') { should cmp 'no' } + its('PermitUserEnvironment') { should cmp 'no' } + end end \ No newline at end of file diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index dd720dc..83ea90d 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -49,4 +49,8 @@ tag fix_id: "F-41388r653831_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe sshd_config do + its('X11Forwarding') { should cmp 'no' } + end end \ No newline at end of file diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index 62a85c9..62088e1 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -44,4 +44,8 @@ tag fix_id: "F-41389r653834_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe sshd_config do + its('X11UseLocalhost') { should cmp 'yes' } + end end \ No newline at end of file diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index 45c0f4c..9ec3d45 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -36,4 +36,18 @@ tag fix_id: "F-41390r653837_fix " tag cci: ["CCI-000192"] tag nist: ["IA-5 (1) (a)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('ucredit') { should cmp -1 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index dfbc482..c1f8049 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -36,4 +36,18 @@ tag fix_id: "F-41391r653840_fix " tag cci: ["CCI-000193"] tag nist: ["IA-5 (1) (a)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('lcredit') { should cmp -1 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index 79fe316..647c660 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -39,4 +39,18 @@ tag fix_id: "F-41392r653843_fix " tag cci: ["CCI-000194"] tag nist: ["IA-5 (1) (a)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('dcredit') { should cmp -1 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index 5aafee3..9becedc 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -43,4 +43,18 @@ tag fix_id: "F-41393r653846_fix " tag cci: ["CCI-000195"] tag nist: ["IA-5 (1) (b)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('difok') { should cmp >= 8 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index 3626a37..9f6a7d2 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -35,4 +35,18 @@ tag fix_id: "F-41394r653849_fix " tag cci: ["CCI-000205"] tag nist: ["IA-5 (1) (a)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('minlen') { should cmp >= 15 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index 8ad6fa7..ad0f057 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -39,4 +39,18 @@ tag fix_id: "F-41395r653852_fix " tag cci: ["CCI-001619"] tag nist: ["IA-5 (1) (a)"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('ocredit') { should cmp -1 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index 94deb66..6ba39fb 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -31,4 +31,18 @@ tag fix_id: "F-41396r653855_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + config_file = '/etc/security/pwquality.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('dictcheck') { should cmp 1 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index 5afecd8..f99b6df 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -76,4 +76,16 @@ tag fix_id: "F-41397r653858_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe package('libpam-pwquality') do + it { should be_installed } + end + + describe file('/etc/security/pwquality.conf') do + its('content') { should match '^enforcing\s+=\s+1$' } + end + + describe file('/etc/pam.d/common-password') do + its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } + end end \ No newline at end of file diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index e69d4cc..f57dc48 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -66,4 +66,17 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs tag fix_id: "F-41398r653861_fix " tag cci: ["CCI-000185"] tag nist: ["IA-5 (2) (b) (1)"] + + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('use_pkcs11_module') { should_not be_nil } + its('cert_policy') { should include 'ca' } + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index ff45bed..bb81300 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -52,4 +52,8 @@ tag fix_id: "F-41399r653864_fix " tag cci: ["CCI-001948"] tag nist: ["IA-2 (11)"] + + describe package('libpam-pkcs11') do + it { should be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 2531ef4..72a1859 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -38,4 +38,8 @@ tag fix_id: "F-41400r653867_fix " tag cci: ["CCI-001953"] tag nist: ["IA-2 (12)"] + + describe package('opensc-pkcs11') do + it { should be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 2cef0a1..5687bf8 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -38,4 +38,16 @@ tag fix_id: "F-41401r653870_fix " tag cci: ["CCI-001954"] tag nist: ["IA-2 (12)"] + + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'ocsp_on' } + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 0bcbfea..1f5c352 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -41,4 +41,21 @@ tag fix_id: "F-41402r653873_fix " tag cci: ["CCI-001991"] tag nist: ["IA-5 (2) (d)"] + + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe.one do + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'crl_auto' } + end + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'crl_offline' } + end + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index 3747d33..cf5256a 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -38,4 +38,13 @@ tag fix_id: "F-41403r832944_fix " tag cci: ["CCI-000196","CCI-000200"] tag nist: ["IA-5 (1) (c)","IA-5 (1) (e)"] + + describe file('/etc/pam.d/common-password') do + it { should exist } + end + + describe command("grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\([^ ]*\\).*/\\1/'") do + its('exit_status') { should eq 0 } + its('stdout.strip') { should cmp >= 5 } + end end \ No newline at end of file diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index 0ea295d..e52eef5 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -72,4 +72,14 @@ tag fix_id: "F-41404r802382_fix " tag cci: ["CCI-000044","CCI-002238"] tag nist: ["AC-7 a","AC-7 b"] + + describe file('/etc/pam.d/common-auth') do + it { should exist } + end + + describe command('grep pam_tally /etc/pam.d/common-auth') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } + its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } + end end \ No newline at end of file diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index 5425c3d..4b2e40e 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -73,4 +73,8 @@ tag fix_id: "F-41405r653882_fix " tag cci: ["CCI-002699"] tag nist: ["SI-6 b"] + + describe("Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.") do + skip("manual test") + end end \ No newline at end of file diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index fce42a0..59b6f50 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -32,4 +32,19 @@ tag fix_id: "F-41406r653885_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe file('/etc/pam.d/common-auth') do + it { should exist } + end + + describe command('grep pam_faildelay /etc/pam.d/common-auth') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/ } + end + + file('/etc/pam.d/common-auth').content.to_s.scan(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=(\d+).*$/).flatten.each do |entry| + describe entry do + it { should cmp >= 4_000_000 } + end + end end \ No newline at end of file diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index 7c4757e..d388e28 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -53,4 +53,28 @@ tag fix_id: "F-41407r653888_fix " tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] tag nist: ["AC-2 (4)","AU-12 c"] + + @audit_file = '/etc/passwd' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 9c2cc43..15ac0fa 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -53,4 +53,27 @@ tag fix_id: "F-41408r653891_fix " tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] tag nist: ["AC-2 (4)","AU-12 c"] + + @audit_file = '/etc/group' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index 9b26fa0..83493ae 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -53,4 +53,27 @@ tag fix_id: "F-41409r653894_fix " tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] tag nist: ["AC-2 (4)","AU-12 c"] + + @audit_file = '/etc/shadow' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index fce4b5d..eb1e256 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -53,4 +53,27 @@ tag fix_id: "F-41410r653897_fix " tag cci: ["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] tag nist: ["AU-12 c","AC-2 (4)"] + + @audit_file = '/etc/gshadow' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index 609a0ae..adb4bd4 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -53,4 +53,27 @@ tag fix_id: "F-41411r653900_fix " tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] tag nist: ["AC-2 (4)","AU-12 c"] + + @audit_file = '/etc/security/opasswd' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index 0a795a0..9425dc4 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -53,4 +53,12 @@ tag fix_id: "F-41412r653903_fix " tag cci: ["CCI-000139"] tag nist: ["AU-5 a"] + + action_mail_acct = auditd_conf.action_mail_acct + security_accounts = input('action_mail_acct') + + describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do + subject { security_accounts } + it { should cmp action_mail_acct } + end end \ No newline at end of file diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index da3f43d..ad51b7b 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -56,4 +56,9 @@ tag fix_id: "F-41413r653906_fix " tag cci: ["CCI-000140"] tag nist: ["AU-5 b"] + + describe auditd_conf do + its('disk_full_action') { should_not be_empty } + its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } + end end \ No newline at end of file diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index ba4c75c..60de48f 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -54,4 +54,18 @@ tag fix_id: "F-41414r653909_fix " tag cci: ["CCI-000162","CCI-000163"] tag nist: ["AU-9 a"] + + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + it { should_not be_more_permissive_than('0600') } + end + else + describe ('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 60e7cc3..a89a174 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -53,4 +53,18 @@ tag fix_id: "F-41415r653912_fix " tag cci: ["CCI-000162"] tag nist: ["AU-9 a"] + + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + its('owner') { should cmp 'root' } + end + else + describe ('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 7d1f7a9..8e7b317 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -57,4 +57,18 @@ tag fix_id: "F-41416r832946_fix " tag cci: ["CCI-000162"] tag nist: ["AU-9 a"] + + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + its('group') { should cmp 'root' } + end + else + describe ('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 7d75510..682a3e4 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -59,4 +59,18 @@ tag fix_id: "F-41417r653918_fix " tag cci: ["CCI-000164"] tag nist: ["AU-9 a"] + + log_file = auditd_conf.log_file + + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + if log_dir_exists + describe directory(File.dirname(log_file)) do + it { should_not be_more_permissive_than('0750') } + end + else + describe ('Audit directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index 747bfb8..39a75eb 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -53,4 +53,15 @@ tag fix_id: "F-41418r653921_fix " tag cci: ["CCI-000171"] tag nist: ["AU-12 b"] + + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + + audit_conf_files = files1 + files2 + + audit_conf_files.each do |conf| + describe file(conf) do + it { should_not be_more_permissive_than('0640') } + end + end end \ No newline at end of file diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index 0b0b77a..c593a9d 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -63,4 +63,15 @@ tag fix_id: "F-41419r653924_fix " tag cci: ["CCI-000171"] tag nist: ["AU-12 b"] + + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + + audit_conf_files = files1 + files2 + + audit_conf_files.each do |conf| + describe file(conf) do + its('owner') { should cmp 'root' } + end + end end \ No newline at end of file diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 583de2b..9712b66 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -53,4 +53,15 @@ tag fix_id: "F-41420r653927_fix " tag cci: ["CCI-000171"] tag nist: ["AU-12 b"] + + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + + audit_conf_files = files1 + files2 + + audit_conf_files.each do |conf| + describe file(conf) do + its('group') { should cmp 'root' } + end + end end \ No newline at end of file diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index 9ce1073..54df9c7 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41421r653930_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/bin/su' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 7dcabee..7810ac5 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41422r653933_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/chfn' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 57b8cc5..93822d0 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41423r653936_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/mount' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index a384bf1..f3cd3ca 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41424r653939_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/umount' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 9447822..27be2dd 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41425r653942_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/ssh-agent' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 2daa8ab..23757c6 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -50,4 +50,29 @@ tag fix_id: "F-41426r653945_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/lib/openssh/ssh-keysign' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index c2e6d00..ce0d92e 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -85,4 +85,15 @@ tag fix_id: "F-41427r808473_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + if os.arch == "x86_64" + describe auditd.syscall("setxattr").where { arch == "b64" } do + its("action.uniq") { should eq ["always"] } + its("list.uniq") { should eq ["exit"] } + end + end + describe auditd.syscall("setxattr").where { arch == "b32" } do + its("action.uniq") { should eq ["always"] } + its("list.uniq") { should eq ["exit"] } + end end \ No newline at end of file diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index 9a6eaad..b9683c8 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -70,4 +70,17 @@ tag fix_id: "F-41433r808476_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + #FIX + + if os.arch == 'x86_64' + describe auditd.syscall('chown').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('chown').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end end \ No newline at end of file diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 385c2d7..9a66f1e 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -69,4 +69,17 @@ tag fix_id: "F-41437r808479_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] -end \ No newline at end of file + +#FIX + + if os.arch == 'x86_64' + describe auditd.syscall('chmod').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('chmod').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end +end diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index 6a5b91d..0464167 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -86,4 +86,29 @@ tag fix_id: "F-41440r808482_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + #FIX + + if os.arch == 'x86_64' + describe auditd.syscall('open').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EPERM' } + end + describe auditd.syscall('open').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EACCES' } + end + end + describe auditd.syscall('open').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EPERM' } + end + describe auditd.syscall('open').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EACCES' } + end end \ No newline at end of file diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index ecdd1d8..504c3b8 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -48,4 +48,27 @@ tag fix_id: "F-41446r654005_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/sudo' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 5de3e60..63764a1 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -49,4 +49,28 @@ tag fix_id: "F-41447r654008_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/sudoedit' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index c09f1f1..bc1311c 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41448r654011_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/chsh' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index b056bf8..b43ecff 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41449r654014_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/newgrp' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index f342e75..4ee2d7b 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41450r654017_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/chcon' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 0d07b58..73f61c1 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41451r654020_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/sbin/apparmor_parser' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index 079f2ed..9e213ac 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41452r654023_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/setfacl' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 6a8426d..67995eb 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41453r654026_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/chacl' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index 0e4d4a2..50a2e13 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -50,4 +50,28 @@ tag fix_id: "F-41454r654029_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/var/log/tallylog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 4886d09..3f5e4b0 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -50,4 +50,28 @@ tag fix_id: "F-41455r654032_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/var/log/faillog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index 2bdccf3..949ef26 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -50,4 +50,28 @@ tag fix_id: "F-41456r654035_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/var/log/lastlog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index cbf6190..599be77 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -49,4 +49,28 @@ tag fix_id: "F-41457r832949_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/passwd' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index 968b8f6..67324cd 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41458r654041_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/sbin/unix_update' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index facabde..3adb2a0 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41459r654044_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/gpasswd' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index de4682e..2992183 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41460r654047_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/chage' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index a01f43f..eae2f3e 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41461r654050_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/sbin/usermod' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index 3aafd59..0762bc3 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -49,4 +49,27 @@ tag fix_id: "F-41462r654053_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/bin/crontab' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 25909fc..84dbbb2 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -51,4 +51,27 @@ tag fix_id: "F-41463r654056_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/usr/sbin/pam_timestamp_check' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index 3041b65..9462b1c 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -70,4 +70,15 @@ tag fix_id: "F-41464r808485_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + if os.arch == 'x86_64' + describe auditd.syscall('init_module').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('init_module').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end end \ No newline at end of file diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 221b22d..1e3e0a2 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -62,4 +62,15 @@ tag fix_id: "F-41466r654065_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + if os.arch == 'x86_64' + describe auditd.syscall('delete_module').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('delete_module').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end end \ No newline at end of file diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 9381bff..40d4bdd 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -84,4 +84,13 @@ tag fix_id: "F-41467r654068_fix " tag cci: ["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"] tag nist: ["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"] + + describe package('auditd') do + it { should be_installed } + end + describe service('auditd') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index a76d7f2..7b2bb7b 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -38,4 +38,12 @@ tag fix_id: "F-41468r654071_fix " tag cci: ["CCI-001464"] tag nist: ["AU-14 (1)"] + + grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries + + grub_entries.each do |entry| + describe entry do + it { should include "audit=1" } + end + end end \ No newline at end of file diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index 33e77d0..ea84838 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -54,4 +54,12 @@ tag fix_id: "F-41469r654074_fix " tag cci: ["CCI-001493","CCI-001494"] tag nist: ["AU-9 a","AU-9"] + + audit_tools = input('audit_tools') + + audit_tools.each do |tool| + describe file(tool) do + it { should_not be_more_permissive_than('0755') } + end + end end \ No newline at end of file diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index b7fd0fb..9ea373b 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -54,4 +54,12 @@ tag fix_id: "F-41470r654077_fix " tag cci: ["CCI-001493","CCI-001494"] tag nist: ["AU-9 a","AU-9"] + + audit_tools = input('audit_tools') + + audit_tools.each do |tool| + describe file(tool) do + its('owner') { should cmp 'root' } + end + end end \ No newline at end of file diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index 6b673e3..2665fea 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -55,4 +55,12 @@ tag fix_id: "F-41471r654080_fix " tag cci: ["CCI-001493","CCI-001494"] tag nist: ["AU-9 a","AU-9"] + + audit_tools = input('audit_tools') + + audit_tools.each do |tool| + describe file(tool) do + its('group') { should cmp 'root' } + end + end end \ No newline at end of file diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index a57951d..f8dd436 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -70,4 +70,43 @@ tag fix_id: "F-41472r654083_fix " tag cci: ["CCI-001496"] tag nist: ["AU-9 (3)"] + + aide_conf = aide_conf input('aide_conf_path') + + aide_conf_exists = aide_conf.exist? + + if aide_conf_exists + describe aide_conf.where { selection_line == '/sbin/auditctl' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/auditd' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/ausearch' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/aureport' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/autrace' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/audispd' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + + describe aide_conf.where { selection_line == '/sbin/augenrules' } do + its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + end + else + describe 'aide.conf file exists' do + subject { aide_conf_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 995af24..ad94783 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -71,4 +71,15 @@ tag fix_id: "F-41473r654086_fix " tag cci: ["CCI-002233","CCI-002234"] tag nist: ["AC-6 (8)","AC-6 (9)"] + + if os.arch == 'x86_64' + describe auditd.syscall('execve').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('execve').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end end \ No newline at end of file diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index 320fe4a..cf98d71 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -73,4 +73,27 @@ tag fix_id: "F-41474r654089_fix " tag cci: ["CCI-001849"] tag nist: ["AU-4"] + + log_file = auditd_conf.log_file + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + + if log_dir_exists + log_file_dir = File.dirname(log_file) + available_storage = filesystem(log_file_dir).free_kb + log_file_size = file(log_file).size + standard_audit_log_size = input('standard_audit_log_size') + describe ('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do + subject { log_file_size.to_i } + it { should be <= standard_audit_log_size } + end + describe ('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do + subject { available_storage.to_i } + it { should be > standard_audit_log_size } + end + else + describe ('Audit file/directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index e7dc22c..1d7a379 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -80,4 +80,24 @@ tag fix_id: "F-41475r654092_fix " tag cci: ["CCI-001851"] tag nist: ["AU-4 (1)"] + + config_file = '/etc/audisp/plugins.d/au-remote.conf' + config_file_exists = file(config_file).exist? + audit_sp_remote_server= input("audit_sp_remote_server") + + describe package('audispd-plugins') do + it { should be_installed } + end + + if config_file_exists + describe parse_config_file(config_file) do + its('active') { should cmp 'yes' } + its('remote_server') { should cmp audit_sp_remote_server } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 4f9fdc3..8677c01 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -71,4 +71,33 @@ tag fix_id: "F-41476r654095_fix " tag cci: ["CCI-001855"] tag nist: ["AU-5 (1)"] + + log_file = auditd_conf.log_file + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + + if log_dir_exists + email_to_notify = input('action_mail_acct') + + partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i + system_alert_configuration_mb = auditd_conf.space_left.to_i + + describe 'The space_left configuration' do + subject { system_alert_configuration_mb } + it { should >= partition_threshold_mb } + end + describe 'The space_left_action configuration' do + subject { auditd_conf.space_left_action } + it { should eq "email" } + end + + describe 'The action_mail_acct configuration' do + subject { auditd_conf.action_mail_acct } + it { should eq email_to_notify } + end + else + describe ('Audit file/directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index 8a2be11..d7c0df4 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -30,4 +30,10 @@ tag fix_id: "F-41477r654098_fix " tag cci: ["CCI-001890"] tag nist: ["AU-8 b"] + + time_zone = command('timedatectl status | grep -i "time zone"').stdout.strip + + describe time_zone do + it { should match 'UTC' } + end end \ No newline at end of file diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index da1f2dc..199ac30 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -63,4 +63,28 @@ tag fix_id: "F-41478r654101_fix " tag cci: ["CCI-000172","CCI-002884"] tag nist: ["AU-12 c","MA-4 (1) (a)"] + + @audit_file = "/var/log/sudo.log" + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its("permissions") { should_not cmp [] } + its("action") { should_not include "never" } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include "w" } + it { should include "a" } + end + end + else + describe ("Audit line(s) for " + @audit_file + " exist") do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 300a429..50b4d16 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -68,4 +68,15 @@ tag fix_id: "F-41479r832952_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + if os.arch == "x86_64" + describe auditd.syscall("unlink").where { arch == "b64" } do + its("action.uniq") { should eq ["always"] } + its("list.uniq") { should eq ["exit"] } + end + end + describe auditd.syscall("unlink").where { arch == "b32" } do + its("action.uniq") { should eq ["always"] } + its("list.uniq") { should eq ["exit"] } + end end \ No newline at end of file diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index 086b4b8..2f67728 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -46,4 +46,28 @@ tag fix_id: "F-41484r654119_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = "/var/log/wtmp" + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its("permissions") { should_not cmp [] } + its("action") { should_not include "never" } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include "w" } + it { should include "a" } + end + end + else + describe ("Audit line(s) for " + @audit_file + " exist") do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index 0301ca0..9a516ec 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -46,4 +46,28 @@ tag fix_id: "F-41485r654122_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = "/var/run/wtmp" + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its("permissions") { should_not cmp [] } + its("action") { should_not include "never" } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include "w" } + it { should include "a" } + end + end + else + describe ("Audit line(s) for " + @audit_file + " exist") do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index dedeb7a..dedf21a 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -46,4 +46,28 @@ tag fix_id: "F-41486r654125_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = "/var/log/btmp" + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its("permissions") { should_not cmp [] } + its("action") { should_not include "never" } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include "w" } + it { should include "a" } + end + end + else + describe ("Audit line(s) for " + @audit_file + " exist") do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index 338f9ef..9154d79 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -44,4 +44,27 @@ tag fix_id: "F-41487r654128_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/sbin/modprobe' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index 7fe5767..a461d92 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -47,4 +47,27 @@ tag fix_id: "F-41488r654131_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = '/bin/kmod' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe ('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index 8319c37..a328c3f 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -47,4 +47,27 @@ tag fix_id: "F-41489r832955_fix " tag cci: ["CCI-000172"] tag nist: ["AU-12 c"] + + @audit_file = "/sbin/fdisk" + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its("permissions") { should_not cmp [] } + its("action") { should_not include "never" } + end + + @perms = auditd.file(@audit_file).permissions + + @perms.each do |perm| + describe perm do + it { should include "x" } + end + end + else + describe ("Audit line(s) for " + @audit_file + " exist") do + subject { audit_lines_exist } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 2d2fa85..5b05f4e 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -39,4 +39,18 @@ tag fix_id: "F-41490r654137_fix " tag cci: ["CCI-001851"] tag nist: ["AU-4 (1)"] + + cron_file = '/etc/cron.weekly/audit-offload' + cron_file_exists = file(cron_file).exist? + + if cron_file_exists + describe file(cron_file) do + its('content') { should_not be_empty } + end + else + describe cron_file + ' exists' do + subject { cron_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb index f88df71..b2fdb6b 100644 --- a/controls/SV-238323.rb +++ b/controls/SV-238323.rb @@ -41,4 +41,8 @@ tag fix_id: "F-41492r654143_fix " tag cci: ["CCI-000054"] tag nist: ["AC-10"] + + describe limits_conf do + its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] } + end end \ No newline at end of file diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index 67cd876..5264d94 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -51,4 +51,19 @@ tag fix_id: "F-41493r832958_fix " tag cci: ["CCI-000067"] tag nist: ["AC-17 (1)"] + + options = { + assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/ + } + config_file = '/etc/rsyslog.d/50-default.conf' + auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*'] + daemon_setting = parse_config_file(config_file, options).params['daemon.notice'] + describe auth_setting do + it { should_not be_nil } + it { should_not be_empty } + end + describe daemon_setting do + it { should_not be_nil } + it { should_not be_empty } + end end \ No newline at end of file diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 3f590bb..2727e23 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -35,4 +35,8 @@ tag fix_id: "F-41494r654149_fix " tag cci: ["CCI-000803"] tag nist: ["IA-7"] + + describe login_defs do + its('ENCRYPT_METHOD') { should eq 'SHA512' } + end end \ No newline at end of file diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb index 7026f7c..8e3dfc2 100644 --- a/controls/SV-238326.rb +++ b/controls/SV-238326.rb @@ -24,4 +24,8 @@ tag fix_id: "F-41495r654152_fix " tag cci: ["CCI-000197"] tag nist: ["IA-5 (1) (c)"] + + describe package('telnetd') do + it { should_not be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb index bc2a7fa..b142030 100644 --- a/controls/SV-238327.rb +++ b/controls/SV-238327.rb @@ -36,4 +36,8 @@ tag fix_id: "F-41496r654155_fix " tag cci: ["CCI-000381"] tag nist: ["CM-7 a"] + + describe package('rsh-server') do + it { should_not be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index f055a62..55a442c 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -79,4 +79,15 @@ tag fix_id: "F-41497r654158_fix " tag cci: ["CCI-000382"] tag nist: ["CM-7 b"] -end \ No newline at end of file +e + ufw_status = command('ufw status').stdout.strip.lines.first + value = ufw_status.split(':')[1].strip + + describe 'UFW status' do + subject { value } + it { should cmp 'active' } + end + describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do + skip 'Status listings checks must be preformed manually' + end +endnd \ No newline at end of file diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 83b38d2..03ff33a 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -48,4 +48,13 @@ tag fix_id: "F-41498r654161_fix " tag cci: ["CCI-000770"] tag nist: ["IA-2 (5)"] + + describe.one do + describe shadow.where(user: 'root') do + its('passwords.uniq.first') { should eq '!*' } + end + end + describe command("passwd -S root").stdout.strip do + it { should match /^root\s+L\s+.*$/ } + end end \ No newline at end of file diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index 49ac987..003b20e 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -43,4 +43,19 @@ tag fix_id: "F-41499r654164_fix " tag cci: ["CCI-000795"] tag nist: ["IA-4 e"] + + config_file = '/etc/default/useradd' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('INACTIVE') { should cmp > '0' } + its('INACTIVE') { should cmp <= 35 } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb index a401752..cec089e 100644 --- a/controls/SV-238331.rb +++ b/controls/SV-238331.rb @@ -44,4 +44,9 @@ tag fix_id: "F-41500r654167_fix " tag cci: ["CCI-001682"] tag nist: ["AC-2 (2)"] + + describe 'Manual verification required' do + skip 'Manually verify if emergency account must be created + the system must terminate the account after a 72 hour time period.' + end end \ No newline at end of file diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb index 8ddec53..fa60ed2 100644 --- a/controls/SV-238332.rb +++ b/controls/SV-238332.rb @@ -46,4 +46,19 @@ tag fix_id: "F-41501r654170_fix " tag cci: ["CCI-001090"] tag nist: ["SC-4"] + + lines = command('find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null').stdout.strip.split("\n").entries + if lines.count > 0 + lines.each do |line| + dir = line.strip + describe directory(dir) do + it { should be_sticky } + end + end + else + describe 'Sticky bit has been set on all world writable directories' do + subject { lines } + its('count') { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb index f5b4dc0..8a86d13 100644 --- a/controls/SV-238333.rb +++ b/controls/SV-238333.rb @@ -48,4 +48,8 @@ tag fix_id: "F-41502r654173_fix " tag cci: ["CCI-001095"] tag nist: ["SC-5 (2)"] + + describe kernel_parameter('net.ipv4.tcp_syncookies') do + its('value') { should cmp 1 } + end end \ No newline at end of file diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb index f8b3d0a..aa83f9e 100644 --- a/controls/SV-238334.rb +++ b/controls/SV-238334.rb @@ -35,4 +35,19 @@ tag fix_id: "F-41503r654176_fix " tag cci: ["CCI-001190"] tag nist: ["SC-24"] + + is_kdump_required = input('is_kdump_required') + if is_kdump_required + describe service('kdump') do + it { should be_enabled } + it { should be_installed } + it { should be_running } + end + else + describe service('kdump') do + it { should_not be_enabled } + it { should_not be_installed } + it { should_not be_running } + end + end end \ No newline at end of file diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb index 74fd40a..4081bf4 100644 --- a/controls/SV-238335.rb +++ b/controls/SV-238335.rb @@ -67,4 +67,8 @@ tag fix_id: "F-41504r654179_fix " tag cci: ["CCI-001199"] tag nist: ["SC-28"] + + describe 'Not Applicable' do + skip 'Encryption of data at rest is handled by the IaaS' + end end \ No newline at end of file diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index 65d23ef..345d5ea 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -45,4 +45,13 @@ tag fix_id: "F-41505r858537_fix " tag cci: ["CCI-001233"] tag nist: ["SI-2 (2)"] + + describe package('mfetp') do + it { should be_installed } + end + + describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do + its('exit_status') { should cmp 0 } + end + end \ No newline at end of file diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb index 2a8a0d4..8db11d2 100644 --- a/controls/SV-238337.rb +++ b/controls/SV-238337.rb @@ -38,4 +38,11 @@ tag fix_id: "F-41506r654185_fix " tag cci: ["CCI-001312"] tag nist: ["SI-11 a"] + + log_files = command('find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;').stdout.strip.split("\n").entries + + describe "Number of log files found with a permission NOT set to 640" do + subject { log_files } + its("count") { should eq 0 } + end end \ No newline at end of file diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb index a9d6233..8e7f0fd 100644 --- a/controls/SV-238338.rb +++ b/controls/SV-238338.rb @@ -34,4 +34,8 @@ tag fix_id: "F-41507r654188_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe directory('/var/log') do + its('group') { should cmp 'syslog' } + end end \ No newline at end of file diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb index 250c531..1502859 100644 --- a/controls/SV-238339.rb +++ b/controls/SV-238339.rb @@ -33,4 +33,8 @@ tag fix_id: "F-41508r654191_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe directory("/var/log") do + its("owner") { should cmp "root" } + end end \ No newline at end of file diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb index 413aa7f..6ca39bb 100644 --- a/controls/SV-238340.rb +++ b/controls/SV-238340.rb @@ -35,4 +35,8 @@ tag fix_id: "F-41509r654194_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe directory("/var/log") do + it { should_not be_more_permissive_than("0750") } + end end \ No newline at end of file diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb index 70a3fd1..537027a 100644 --- a/controls/SV-238341.rb +++ b/controls/SV-238341.rb @@ -35,4 +35,8 @@ tag fix_id: "F-41510r654197_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe file('/var/log/syslog') do + its('group') { should cmp 'adm' } + end end \ No newline at end of file diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb index be44b39..e047d38 100644 --- a/controls/SV-238342.rb +++ b/controls/SV-238342.rb @@ -34,4 +34,8 @@ tag fix_id: "F-41511r654200_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe file('/var/log/syslog') do + its('owner') { should cmp 'syslog' } + end end \ No newline at end of file diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb index 4d44d31..cc0fa15 100644 --- a/controls/SV-238343.rb +++ b/controls/SV-238343.rb @@ -36,4 +36,8 @@ tag fix_id: "F-41512r654203_fix " tag cci: ["CCI-001314"] tag nist: ["SI-11 b"] + + describe file('/var/log/syslog') do + it { should_not be_more_permissive_than('0640') } + end end \ No newline at end of file diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index d9ac87e..dc5d004 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41513r654206_fix " tag cci: ["CCI-001495"] tag nist: ["AU-9"] + + system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + it { should_not be_more_permissive_than("0755") } + end + end + else + describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or + /usr/local/sbin, that are less permissive than 0755" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index 66cb98f..2778191 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -48,4 +48,29 @@ tag fix_id: "F-41514r654209_fix " tag cci: ["CCI-001495"] tag nist: ["AU-9"] + + system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + its("owner") { should cmp "root" } + end + end + else + describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, + /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 11a2e1e..1462b93 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -49,4 +49,29 @@ tag fix_id: "F-41515r654212_fix " tag cci: ["CCI-001495"] tag nist: ["AU-9"] +#CHECK + system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + its("group") { should cmp "root" } + end + end + else + describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, + /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb index 40b040b..3b29635 100644 --- a/controls/SV-238347.rb +++ b/controls/SV-238347.rb @@ -35,4 +35,23 @@ tag fix_id: "F-41516r654215_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == 'x86_64' + library_files = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries + else + library_files = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split("\n").entries + end + + if library_files.count > 0 + library_files.each do |lib_file| + describe file(lib_file) do + it { should_not be_more_permissive_than('0755') } + end + end + else + describe 'Number of system-wide shared library files found that are less permissive than 0755' do + subject { library_files } + its('count') { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb index 3ea8241..9910f83 100644 --- a/controls/SV-238348.rb +++ b/controls/SV-238348.rb @@ -34,4 +34,23 @@ tag fix_id: "F-41517r654218_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == 'x86_64' + library_dirs = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries + else + library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split("\n").entries + end + + if library_dirs.count > 0 + library_dirs.each do |lib_file| + describe file(lib_file) do + it { should_not be_more_permissive_than('0755') } + end + end + else + describe 'Number of system-wide shared library directories found that are less permissive than 0755' do + subject { library_dirs } + its('count') { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb index e31026c..4f41a6b 100644 --- a/controls/SV-238349.rb +++ b/controls/SV-238349.rb @@ -34,4 +34,23 @@ tag fix_id: "F-41518r654221_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == "x86_64" + library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries + else + library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type f').stdout.strip.split("\n").entries + end + + if library_files.count > 0 + library_files.each do |lib_file| + describe file(lib_file) do + its("owner") { should cmp "root" } + end + end + else + describe "Number of system-wide shared library files found that are NOT owned by root" do + subject { library_files } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb index 6370458..62ffef6 100644 --- a/controls/SV-238350.rb +++ b/controls/SV-238350.rb @@ -34,4 +34,23 @@ tag fix_id: "F-41519r654224_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == "x86_64" + library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries + else + library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type d').stdout.strip.split("\n").entries + end + + if library_dirs.count > 0 + library_dirs.each do |lib_file| + describe file(lib_file) do + its("owner") { should cmp "root" } + end + end + else + describe "Number of system-wide shared library directories found that are NOT owned by root" do + subject { library_dirs } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb index 2a8586a..5b20f79 100644 --- a/controls/SV-238351.rb +++ b/controls/SV-238351.rb @@ -35,4 +35,23 @@ tag fix_id: "F-41520r832961_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == "x86_64" + library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries + else + library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type f').stdout.strip.split("\n").entries + end + + if library_files.count > 0 + library_files.each do |lib_file| + describe file(lib_file) do + its("group") { should cmp "root" } + end + end + else + describe "Number of system-wide shared library files found that are NOT group-owned by root" do + subject { library_files } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb index cc11905..12c54d4 100644 --- a/controls/SV-238352.rb +++ b/controls/SV-238352.rb @@ -34,4 +34,23 @@ tag fix_id: "F-41521r654230_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + if os.arch == "x86_64" + library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries + else + library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type d').stdout.strip.split("\n").entries + end + + if library_directories.count > 0 + library_directories.each do |lib_file| + describe file(lib_file) do + its("group") { should cmp "root" } + end + end + else + describe "Number of system-wide shared library directories found that are NOT group-owned by root" do + subject { library_directories } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb index 866b4e5..e221b44 100644 --- a/controls/SV-238353.rb +++ b/controls/SV-238353.rb @@ -63,4 +63,10 @@ tag fix_id: "F-41522r654233_fix " tag cci: ["CCI-001665"] tag nist: ["SC-24"] + + describe service('rsyslog') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index b6f81b4..1a3a736 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -43,4 +43,8 @@ tag fix_id: "F-41523r654236_fix " tag cci: ["CCI-002314"] tag nist: ["AC-17 (1)"] + + describe package('ufw') do + it { should be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index cd15fc7..489d768 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -51,4 +51,10 @@ tag fix_id: "F-41524r654239_fix " tag cci: ["CCI-002314"] tag nist: ["AC-17 (1)"] + + describe service('ufw') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index bfad302..be2d203 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -71,4 +71,33 @@ tag fix_id: "F-41525r808491_fix " tag cci: ["CCI-001891"] tag nist: ["AU-8 (1) (a)"] + + is_system_networked = input('is_system_networked') + + if is_system_networked + + chrony_conf = '/etc/chrony/chrony.conf' + chrony_conf_exists = file(chrony_conf).exist? + + if chrony_conf_exists + describe "time sources" do + server_entries = command('grep "^server" /etc/chrony/chrony.conf').stdout.strip.split("\n").entries + + server_entries.each do |entry| + describe entry do + it { should match "^server\s+.*\s+iburst\s+maxpoll\s+=\s+17$" } + end + end + end + else + describe chrony_conf + ' exists' do + subject { chrony_conf_exists } + it { should be true } + end + end + else + describe 'System is not networked' do + skip 'This control is Not Applicable as the system is not networked' + end + end end \ No newline at end of file diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 1257f7e..9bbc9a8 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -51,4 +51,19 @@ tag fix_id: "F-41526r654245_fix " tag cci: ["CCI-002046"] tag nist: ["AU-8 (1) (b)"] + + chrony_file_path = '/etc/chrony/chrony.conf' + chrony_file = file('/etc/chrony/chrony.conf') + + if chrony_file.exist? + describe chrony_file do + subject { chrony_file } + its('content') { should match %r{^makestep 1 -1} } + end + else + describe (chrony_file_path + ' exists') do + subject { chrony_file.exist? } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index 738e9b4..08ecd42 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -43,4 +43,9 @@ tag fix_id: "F-41527r654248_fix " tag cci: ["CCI-001744"] tag nist: ["CM-3 (5)"] + + describe file('/etc/default/aide') do + it { should exist } + its('content') { should match '^SILENTREPORTS=no$' } + end end \ No newline at end of file diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index cfcc7f1..224913f 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -55,4 +55,23 @@ tag fix_id: "F-41528r654251_fix " tag cci: ["CCI-001749"] tag nist: ["CM-5 (3)"] + + describe directory('/etc/apt/apt.conf.d') do + it { should exist } + end + + apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split("\n") + if apt_allowunauth.empty? + describe 'apt conf files do not contain AllowUnauthenticated' do + subject { apt_allowunauth.empty? } + it { should be true } + end + else + apt_allowunauth.each do |line| + describe "#{line} contains AllowUnauthenctication" do + subject { line } + it { should_not match /.*false.*/ } + end + end + end end \ No newline at end of file diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index ab11714..ee4982e 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -70,4 +70,10 @@ tag fix_id: "F-41529r654254_fix " tag cci: ["CCI-001764","CCI-001774","CCI-002165","CCI-002235"] tag nist: ["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"] + + describe service('apparmor') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index 9150158..1e91d59 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -37,4 +37,9 @@ tag fix_id: "F-41530r654257_fix " tag cci: ["CCI-002041"] tag nist: ["IA-5 (1) (f)"] + + describe 'Manual verification required' do + skip 'Manually verify if a policy exists to ensure that a method exists to force temporary + users to change their password upon next login' + end end \ No newline at end of file diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 4dbe90c..e09a0d5 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -37,4 +37,18 @@ tag fix_id: "F-41531r654260_fix " tag cci: ["CCI-002007"] tag nist: ["IA-5 (13)"] + + config_file = input('sssd_conf_path') + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('offline_credentials_expiration') { should cmp '1' } + end + else + describe (config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 84c84dc..0fa0893 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -39,4 +39,18 @@ tag fix_id: "F-41532r654263_fix " tag cci: ["CCI-002450"] tag nist: ["SC-13 b"] + + config_file = '/proc/sys/crypto/fips_enabled' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe file(config_file) do + its('content') { should match %r{\A1\Z} } + end + else + describe ('FIPS is enabled') do + subject { config_file_exists } + it { should be true } + end + end end \ No newline at end of file diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index a706c14..699ffad 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -52,4 +52,14 @@ tag fix_id: "F-41533r860823_fix " tag cci: ["CCI-002470"] tag nist: ["SC-23 (5)"] + + allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex') + find_command = """ + for f in $(find -L /etc/ssl/certs -type f); do + openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}' + done + """ + describe command(find_command) do + its("stdout") { should cmp "" } + end end \ No newline at end of file diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 6260f7c..15ac33c 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -66,4 +66,8 @@ tag fix_id: "F-41534r654269_fix " tag cci: ["CCI-002475"] tag nist: ["SC-28 (1)"] + + describe 'Not Applicable' do + skip 'Encryption of data at rest is handled by the IaaS' + end end \ No newline at end of file diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index 7c9d275..66c7038 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -66,4 +66,8 @@ tag fix_id: "F-41535r654272_fix " tag cci: ["CCI-002476"] tag nist: ["SC-28 (1)"] + + describe 'Not Applicable' do + skip 'Encryption of data at rest is handled by the IaaS' + end end \ No newline at end of file diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index b36ba24..e3a6efa 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -74,4 +74,8 @@ tag fix_id: "F-41536r654275_fix " tag cci: ["CCI-002385"] tag nist: ["SC-5 a"] + + describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do + skip 'Status listings checks must be preformed manually' + end end \ No newline at end of file diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 0a2cb91..d49630e 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -41,4 +41,15 @@ tag fix_id: "F-41537r654278_fix " tag cci: ["CCI-002824"] tag nist: ["SI-16"] -end \ No newline at end of file + + options = { + assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/ + } + describe.one do + describe command('dmesg | grep NX').stdout.strip do + it { should match /.+(NX \(Execute Disable\) protection: active)/ } + end + describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do + it { should include 'nx' } + end + end \ No newline at end of file diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index a8eee68..a896292 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -55,4 +55,8 @@ tag fix_id: "F-41538r654281_fix " tag cci: ["CCI-002824"] tag nist: ["SI-16"] + + describe kernel_parameter('kernel.randomize_va_space') do + its('value') { should cmp 2 } + end end \ No newline at end of file diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index b4d708b..18537d3 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -39,4 +39,13 @@ tag fix_id: "F-41539r654284_fix " tag cci: ["CCI-002617"] tag nist: ["SI-2 (6)"] + + describe directory('/etc/apt/apt.conf.d') do + it { should exist } + end + + describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do + it { should match /^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/ } + it { should match /^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/ } + end end \ No newline at end of file diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index 71bdccc..5453bcc 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -41,4 +41,8 @@ tag fix_id: "F-41540r654287_fix " tag cci: ["CCI-002696"] tag nist: ["SI-6 a"] + + describe package('aide') do + it { should be_installed } + end end \ No newline at end of file diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index ea607f9..48a3b3e 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -40,4 +40,9 @@ tag fix_id: "F-41541r654290_fix " tag cci: ["CCI-002702"] tag nist: ["SI-6 d"] + + describe file('/etc/default/aide') do + it { should exist } + its('content') { should match '^SILENTREPORTS=no$' } + end end \ No newline at end of file diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 38519b9..285cbbc 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -40,4 +40,10 @@ tag fix_id: "F-41542r654293_fix " tag cci: ["CCI-000052"] tag nist: ["AC-9"] + + describe command('grep pam_lastlog /etc/pam.d/login') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } + its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } + end end \ No newline at end of file diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb index 9ac52d1..ea193aa 100644 --- a/controls/SV-238374.rb +++ b/controls/SV-238374.rb @@ -37,4 +37,10 @@ tag fix_id: "F-41543r654296_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe service('ufw') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end \ No newline at end of file diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb index d28316f..f2d5ac1 100644 --- a/controls/SV-238376.rb +++ b/controls/SV-238376.rb @@ -45,4 +45,28 @@ tag fix_id: "F-41545r654302_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + it { should_not be_more_permissive_than("0755") } + end + end + else + describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb index 410996e..6cdb5a2 100644 --- a/controls/SV-238377.rb +++ b/controls/SV-238377.rb @@ -45,4 +45,28 @@ tag fix_id: "F-41546r832967_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + its("owner") { should cmp "root" } + end + end + else + describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb index 5b9dadd..9b5e4be 100644 --- a/controls/SV-238378.rb +++ b/controls/SV-238378.rb @@ -46,4 +46,28 @@ tag fix_id: "F-41547r832970_fix " tag cci: ["CCI-001499"] tag nist: ["CM-5 (6)"] + + system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f").stdout.strip.split("\n").entries + valid_system_commands = Set[] + + if system_commands.count > 0 + system_commands.each do |sys_cmd| + if file(sys_cmd).exist? + valid_system_commands = valid_system_commands << sys_cmd + end + end + end + + if valid_system_commands.count > 0 + valid_system_commands.each do |val_sys_cmd| + describe file(val_sys_cmd) do + it { should_not be_more_permissive_than("0755") } + end + end + else + describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account" do + subject { valid_system_commands } + its("count") { should eq 0 } + end + end end \ No newline at end of file diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index 053eeb7..6619294 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -45,4 +45,15 @@ tag fix_id: "F-41548r654311_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + xorg_status = command('which Xorg').exit_status + if xorg_status == 0 + describe command("grep -R logout='' /etc/dconf/db/local.d/").stdout.strip.split("\n").entries do + its('count') { should_not eq 0 } + end + else + describe command('which Xorg').exit_status do + skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) + end + end end \ No newline at end of file diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb index 12efed9..7bc6b5b 100644 --- a/controls/SV-238380.rb +++ b/controls/SV-238380.rb @@ -42,4 +42,9 @@ tag fix_id: "F-41549r832973_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe service('ctrl-alt-del.target') do + it { should_not be_running } + it { should_not be_enabled } + end end \ No newline at end of file From 943e355068bb288ecaf519ee789f25ff31ba6280 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 16 Nov 2022 10:38:52 -0500 Subject: [PATCH 003/100] fixing issues Signed-off-by: HackerShark --- controls/SV-238328.rb | 2 +- controls/SV-238368.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index 55a442c..f90a4ad 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -90,4 +90,4 @@ describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' end -endnd \ No newline at end of file +end \ No newline at end of file diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index d49630e..4ed437e 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -52,4 +52,5 @@ describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do it { should include 'nx' } end - end \ No newline at end of file + end +end \ No newline at end of file From 5ee89c0459e5178380bd4418eca21d76756f9b36 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 28 Nov 2022 08:45:53 -0500 Subject: [PATCH 004/100] uncommenting initial logic for SV-238198 Signed-off-by: HackerShark --- controls/SV-238198.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index 28ec3c3..592d8f1 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -120,12 +120,12 @@ tag fix_id: "F-41367r653768_fix " tag cci: ["CCI-000048"] tag nist: ["AC-8 a"] - #TOODO -# banner_text = input('banner_text') -# clean_banner = banner_text.gsub(/[\r\n\s]/, '') -# gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults" -# describe 'The SSHD Banner is set to the standard banner and has the correct text' do -# subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} -# it { should cmp clean_banner } -# end + + banner_text = input('banner_text') + clean_banner = banner_text.gsub(/[\r\n\s]/, '') + gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults" + describe 'The SSHD Banner is set to the standard banner and has the correct text' do + subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} + it { should cmp clean_banner } + end end \ No newline at end of file From 6b38fa977be8b35bc4554e2cb8c18781e20964ab Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 28 Nov 2022 12:28:27 -0500 Subject: [PATCH 005/100] changing logic to use grub config resource Signed-off-by: HackerShark --- controls/SV-238204.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index 67b495d..7530b81 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -69,7 +69,8 @@ tag cci: ["CCI-000213"] tag nist: ["AC-3"] - describe file('/boot/grub/grub.cfg') do - its('content') { should match '^password_pbkdf2' } + + describe grub_conf('/boot/grub/grub.cfg') do + its('password') { should match '^password_pbkdf2' } end end \ No newline at end of file From 9fd9788ea47614a4378b70f45152c6ffd95f2dcb Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 28 Nov 2022 12:39:14 -0500 Subject: [PATCH 006/100] updating logic, putting quotes around numbers in case command line returns a number to better handle the logic loop. Using parse_config_file resource rather than file resource. Signed-off-by: HackerShark --- controls/SV-238221.rb | 2 +- controls/SV-238222.rb | 2 +- controls/SV-238223.rb | 2 +- controls/SV-238224.rb | 2 +- controls/SV-238225.rb | 2 +- controls/SV-238226.rb | 2 +- controls/SV-238227.rb | 2 +- controls/SV-238228.rb | 4 ++-- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index 9ec3d45..e50a589 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -42,7 +42,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('ucredit') { should cmp -1 } + its('ucredit') { should cmp '-1' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index c1f8049..4b35cbf 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -42,7 +42,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('lcredit') { should cmp -1 } + its('lcredit') { should cmp '-1' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index 647c660..65fe427 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -45,7 +45,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('dcredit') { should cmp -1 } + its('dcredit') { should cmp '-1' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index 9becedc..e0f9a86 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -49,7 +49,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('difok') { should cmp >= 8 } + its('difok') { should cmp >= '8' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index 9f6a7d2..95406f8 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -41,7 +41,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('minlen') { should cmp >= 15 } + its('minlen') { should cmp >= '15' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index ad0f057..5922411 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -45,7 +45,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('ocredit') { should cmp -1 } + its('ocredit') { should cmp '-1' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index 6ba39fb..ee374d5 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -37,7 +37,7 @@ if config_file_exists describe parse_config_file(config_file) do - its('dictcheck') { should cmp 1 } + its('dictcheck') { should cmp '1' } end else describe (config_file + ' exists') do diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index f99b6df..ac2b7fc 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -81,8 +81,8 @@ it { should be_installed } end - describe file('/etc/security/pwquality.conf') do - its('content') { should match '^enforcing\s+=\s+1$' } + describe parse_config_file('/etc/security/pwquality.conf') do + its('enforcing') { should cmp 1 } end describe file('/etc/pam.d/common-password') do From da7a4e8773a7ca7c1fa6725e273a92f87ca9a850 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 09:55:03 -0500 Subject: [PATCH 007/100] developed new controls logic for new controls. Moved config files location to inputs where it made sense. Signed-off-by: HackerShark --- controls/SV-238306.rb | 2 +- controls/SV-238321.rb | 2 +- controls/SV-238324.rb | 2 +- controls/SV-238330.rb | 2 +- controls/SV-238356.rb | 2 +- controls/SV-238357.rb | 4 ++-- controls/SV-238363.rb | 2 +- controls/SV-251503.rb | 4 ++++ controls/SV-251504.rb | 4 ++++ controls/SV-251505.rb | 8 ++++++++ controls/SV-252704.rb | 4 ++++ 11 files changed, 28 insertions(+), 8 deletions(-) diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 1d7a379..411ab7d 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -81,7 +81,7 @@ tag cci: ["CCI-001851"] tag nist: ["AU-4 (1)"] - config_file = '/etc/audisp/plugins.d/au-remote.conf' + config_file = input('audispremote_config_file') config_file_exists = file(config_file).exist? audit_sp_remote_server= input("audit_sp_remote_server") diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 5b05f4e..65313a8 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -40,7 +40,7 @@ tag cci: ["CCI-001851"] tag nist: ["AU-4 (1)"] - cron_file = '/etc/cron.weekly/audit-offload' + cron_file = input('auditoffload_config_file') cron_file_exists = file(cron_file).exist? if cron_file_exists diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index 5264d94..4f5c4c1 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -55,7 +55,7 @@ options = { assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/ } - config_file = '/etc/rsyslog.d/50-default.conf' + config_file = input('rsyslog_config_file') auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*'] daemon_setting = parse_config_file(config_file, options).params['daemon.notice'] describe auth_setting do diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index 003b20e..e4f9a6b 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -44,7 +44,7 @@ tag cci: ["CCI-000795"] tag nist: ["IA-4 e"] - config_file = '/etc/default/useradd' + config_file = input('useradd_config_file') config_file_exists = file(config_file).exist? if config_file_exists diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index be2d203..cbf3730 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -76,7 +76,7 @@ if is_system_networked - chrony_conf = '/etc/chrony/chrony.conf' + chrony_conf = input('chrony_config_file') chrony_conf_exists = file(chrony_conf).exist? if chrony_conf_exists diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 9bbc9a8..528dfbe 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -52,8 +52,8 @@ tag cci: ["CCI-002046"] tag nist: ["AU-8 (1) (b)"] - chrony_file_path = '/etc/chrony/chrony.conf' - chrony_file = file('/etc/chrony/chrony.conf') + chrony_file_path = input('chrony_config_file') + chrony_file = file(chrony_file_path) if chrony_file.exist? describe chrony_file do diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 0fa0893..5537f8a 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -40,7 +40,7 @@ tag cci: ["CCI-002450"] tag nist: ["SC-13 b"] - config_file = '/proc/sys/crypto/fips_enabled' + config_file = input('fips_config_file') config_file_exists = file(config_file).exist? if config_file_exists diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb index 04885d3..94761c0 100644 --- a/controls/SV-251503.rb +++ b/controls/SV-251503.rb @@ -28,4 +28,8 @@ tag fix_id: "F-54892r808505_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe command("sudo awk -F: '!$2 {print $1}' /etc/shadow") do + its('stdout') { should be_empty } + end end \ No newline at end of file diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index 4c0baae..a4ae9a9 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -29,4 +29,8 @@ tag fix_id: "F-54893r832976_fix " tag cci: ["CCI-000366"] tag nist: ["CM-6 b"] + + describe command("grep nullok /etc/pam.d/common-password") do + its('stdout') { should be_empty } + end end \ No newline at end of file diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index ec71454..6da7473 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -51,4 +51,12 @@ tag fix_id: "F-54894r808511_fix " tag cci: ["CCI-001958"] tag nist: ["IA-3"] + + describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do + its('stdout') { should_not be_empty } + end + + describe command('grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"') do + its('stdout') { should_not be_empty } + end end \ No newline at end of file diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 5771d87..735164b 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -74,4 +74,8 @@ module with the following command: tag fix_id: "F-56110r819056_fix " tag cci: ["CCI-002418"] tag nist: ["SC-8"] + + describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do + its('stdout') { should be_in input('approved_wireless_interfaces')} + end end \ No newline at end of file From ca28d4219ad112baa3ca72ceb7036b57e368a686 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 09:55:25 -0500 Subject: [PATCH 008/100] added new inputs for controls Signed-off-by: HackerShark --- inspec.yml | 47 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index 030c26a..6aa62b3 100644 --- a/inspec.yml +++ b/inspec.yml @@ -16,6 +16,7 @@ inputs: description: Temporary user accounts type: Array value: [] + - name: banner_text description: Standard Mandatory DoD Notice and Consent Banner type: String @@ -32,18 +33,22 @@ inputs: -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + - name: sudo_accounts description: Array of users who need access to security functions are part of the sudo group. type: Array value: [ "ubuntu" ] + - name: tmout desciption: Inactivity timeouts, in seconds, after which operating system automatically terminates a user session. type: numeric value: 600 + - name: action_mail_acct description: Email to be notified when allocated audit record storage volume reaches type: string value: root + - name: audit_tools description: Audit tools type: Array @@ -56,38 +61,47 @@ inputs: '/sbin/audispd', '/sbin/augenrules' ] + - name: standard_audit_log_size description: Set audit log size in bytes (default:1073741824 per control specification) type: Numeric value: 8894028 + - name: aide_conf_path description: Path to aide.conf type: String value: '/etc/aide/aide.conf' + - name: action_mail_acct description: Email to be notified when allocated audit record storage volume reaches type: string value: root + - name: maxlogins description: Maximum number of concurrent sessions type: Numeric value: 10 + - name: is_kdump_required description: Is kdump service required? (check with SA and documented with ISSO) type: Boolean value: false + - name: is_system_networked description: Set to true if the system is networked for NTP check type: Boolean value: true + - name: sssd_conf_path description: Path to sssd.conf type: String value: '/etc/sssd/sssd.conf' + - name: allowed_ca_fingerprints_regex description: Certificate fingerprint regex for DoD PKI-established certificate authorities type: string value: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9) + - name: allowed_network_interfaces description: Array of allowed network interfaces (wired & wireless) type: Array @@ -95,7 +109,38 @@ inputs: 'lo', 'eth0' ] + - name: audit_sp_remote_server description: Address of the remote server receiving the audit log type: String - value: '192.0.0.1' \ No newline at end of file + value: '192.0.0.1' + + - name: approved_wireless_interfaces + description: List of approved wireless interfaces + type: array + value: [] + + - name: fips_config_file + description: Location of fips_enabled config file + type: String + value: '/proc/sys/crypto/fips_enabled' + + - name: chrony_config_file + description: Location of chrony config file + type: String + value: '/etc/chrony/chrony.conf' + + - name: useradd_config_file + description: Location of useradd config file + type: String + value: '/etc/default/useradd' + + - name: rsyslog_config_file + description: Location of rsyslog config file + type: String + value: '/etc/rsyslog.d/50-default.conf' + + - name: auditoffload_config_file + description: Location of audit offload config file + type: String + value: '/etc/cron.weekly/audit-offload' \ No newline at end of file From 14fb9a62b18dc9cd5ca3ec2909022daa73e1c5a6 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 10:03:35 -0500 Subject: [PATCH 009/100] added new inputs for controls Signed-off-by: HackerShark --- inspec.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index 6aa62b3..7d60427 100644 --- a/inspec.yml +++ b/inspec.yml @@ -143,4 +143,9 @@ inputs: - name: auditoffload_config_file description: Location of audit offload config file type: String - value: '/etc/cron.weekly/audit-offload' \ No newline at end of file + value: '/etc/cron.weekly/audit-offload' + + - name: audispremote_config_file + description: Location of audisp-remote plugin config file + type: String + value: '/etc/audisp/plugins.d/au-remote.conf' \ No newline at end of file From a0906a890bffb1cc7037453f33f00b9895936c32 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 10:14:41 -0500 Subject: [PATCH 010/100] updating control logic to fix profile error Signed-off-by: HackerShark --- controls/SV-238198.rb | 16 ++++++++++++---- inspec.yml | 7 ++++++- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index 592d8f1..f8075d6 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -123,9 +123,17 @@ banner_text = input('banner_text') clean_banner = banner_text.gsub(/[\r\n\s]/, '') - gdm3_defaults_file="/etc/gdm3/greeter.dconf-defaults" - describe 'The SSHD Banner is set to the standard banner and has the correct text' do - subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} - it { should cmp clean_banner } + gdm3_defaults_file = input('gdm3_config_file') + + if package('gdm3').installed? + describe 'The SSHD Banner is set to the standard banner and has the correct text' do + subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} + it { should cmp clean_banner } + end + else + impact 0.0 + describe "Package gdm3 not installed" do + skip "Package gdm3 not installed, this control Not Applicable" + end end end \ No newline at end of file diff --git a/inspec.yml b/inspec.yml index 7d60427..08aa33a 100644 --- a/inspec.yml +++ b/inspec.yml @@ -148,4 +148,9 @@ inputs: - name: audispremote_config_file description: Location of audisp-remote plugin config file type: String - value: '/etc/audisp/plugins.d/au-remote.conf' \ No newline at end of file + value: '/etc/audisp/plugins.d/au-remote.conf' + + - name: gdm3_config_file + description: Location of gdm3 config file + type: String + value: '/etc/gdm3/greeter.dconf-defaults' \ No newline at end of file From 3310f6eb06fe6982ac3985ad4c4edd54571be5b7 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 11:48:29 -0500 Subject: [PATCH 011/100] removed miscellaneous character that was stopping control from running Signed-off-by: HackerShark --- controls/SV-238328.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index f90a4ad..7c75714 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -79,7 +79,7 @@ tag fix_id: "F-41497r654158_fix " tag cci: ["CCI-000382"] tag nist: ["CM-7 b"] -e + ufw_status = command('ufw status').stdout.strip.lines.first value = ufw_status.split(':')[1].strip From f4eea60bde50a0773d4229ad27366ec161afc3d9 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 12:41:16 -0500 Subject: [PATCH 012/100] fixed typo Signed-off-by: HackerShark --- inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index 08aa33a..2cc0b4b 100644 --- a/inspec.yml +++ b/inspec.yml @@ -40,7 +40,7 @@ inputs: value: [ "ubuntu" ] - name: tmout - desciption: Inactivity timeouts, in seconds, after which operating system automatically terminates a user session. + description: Inactivity timeouts, in seconds, after which operating system automatically terminates a user session. type: numeric value: 600 From 71150427bb3732c27e9f1e95879f39b12dff4f11 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 12:48:51 -0500 Subject: [PATCH 013/100] updating README Signed-off-by: HackerShark --- README.md | 149 +++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 136 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 243ef4e..b88d11f 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,136 @@ -# Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide -"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." ---- -Name: Canonical_Ubuntu_20-04_LTS_STIG -Author: The Authors -Status: accepted on 2021-03-23 -Copyright: The Authors -Copyright Email: you@example.com -Version: 0.1.0 -Release: 1 Benchmark Date: 10 Mar 2021 -Reference: https://cyber.mil -Reference by: DISA -Reference source: STIG.DOD.MIL +# canonical-ubuntu-20.04-lts-stig-baseline + +InSpec profile to validate the secure configuration of Ubuntu 20.04, against [DISA](https://iase.disa.mil/stigs/)'s Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) Version 1, Release 6. + +## Getting Started +It is intended and recommended that InSpec run this profile from a __"runner"__ host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over __ssh__. + +__For the best security of the runner, always install on the runner the _latest version_ of InSpec and supporting Ruby language components.__ + +Latest versions and installation options are available at the [InSpec](http://inspec.io/) site. + +## Tailoring to Your Environment +The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/). + +```yaml +temporary_accounts: [] +banner_text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + sudo_accounts: [ "ubuntu" ] + tmout: 600 + action_mail_acct: root + audit_tools: [ + '/sbin/auditctl', + '/sbin/aureport', + '/sbin/ausearch', + '/sbin/autrace', + '/sbin/auditd', + '/sbin/audispd', + '/sbin/augenrules' + ] + standard_audit_log_size: 8894028 + aide_conf_path: '/etc/aide/aide.conf' + action_mail_acct: root + maxlogins: 10 + is_kdump_required: false + is_system_networked: true + sssd_conf_path: '/etc/sssd/sssd.conf' + allowed_ca_fingerprints_regex: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9) + allowed_network_interfaces: [ + 'lo', + 'eth0' + ] + audit_sp_remote_server: '192.0.0.1' + approved_wireless_interfaces: [] + fips_config_file: '/proc/sys/crypto/fips_enabled' + chrony_config_file: '/etc/chrony/chrony.conf' + useradd_config_file: '/etc/default/useradd' + rsyslog_config_file: '/etc/rsyslog.d/50-default.conf' + auditoffload_config_file: '/etc/cron.weekly/audit-offload' + audispremote_config_file: '/etc/audisp/plugins.d/au-remote.conf' + gdm3_config_file: '/etc/gdm3/greeter.dconf-defaults' +``` + +# Running This Baseline Directly from Github + +``` +# How to run +inspec exec https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline/archive/master.tar.gz --target=ssh:// --user= --password= --sudo --sudo-password= --input-file= --reporter=cli json: +``` + +### Different Run Options + + [Full exec options](https://docs.chef.io/inspec/cli/#options-3) + +## Running This Baseline from a local Archive copy + +If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests: + +(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) site.) + +When the __"runner"__ host uses this profile baseline for the first time, follow these steps: + +``` +mkdir profiles +cd profiles +git clone https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline +inspec archive canonical-ubuntu-20.04-lts-stig-baseline +inspec exec --target=ssh:// --user= --password= --sudo --sudo-password= --input-file= --reporter=cli json: +``` +For every successive run, follow these steps to always have the latest version of this baseline: + +``` +cd canonical-ubuntu-20.04-lts-stig-baseline +git pull +cd .. +inspec archive canonical-ubuntu-20.04-lts-stig-baseline --overwrite +inspec exec --target=ssh:// --user= --password= --sudo --sudo-password= --input-file= --reporter=cli json: +``` + +## Viewing the JSON Results + +The JSON results output file can be loaded into __[heimdall-lite](https://heimdall-lite.mitre.org/)__ for a user-interactive, graphical view of the InSpec results. + +The JSON InSpec results file may also be loaded into a __[full heimdall server](https://github.com/mitre/heimdall)__, allowing for additional functionality such as to store and compare multiple profile runs. + +## Authors +* + +## Special Thanks +* Mohamed El-Sharkawi - [HackerShark](https://github.com/HackerShark) + +## Contributing and Getting Help +To report a bug or feature request, please open an [issue](https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline/issues/new). + +### NOTICE + +© 2018-2020 The MITRE Corporation. + +Approved for Public Release; Distribution Unlimited. Case Number 18-3678. + +### NOTICE + +MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project. + +### NOTICE + +This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General. + +No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation. + +For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. + +### NOTICE + +DISA STIGs are published by DISA IASE, see: https://iase.disa.mil/Pages/privacy_policy.aspx From 77ae270ebcc06fb9f15692bfdc3b7b501958fe08 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 30 Nov 2022 12:57:36 -0500 Subject: [PATCH 014/100] fixed linting issues Signed-off-by: HackerShark --- controls/SV-238196.rb | 96 +++++++------- controls/SV-238197.rb | 190 ++++++++++++++------------- controls/SV-238198.rb | 240 +++++++++++++++++----------------- controls/SV-238199.rb | 98 +++++++------- controls/SV-238200.rb | 58 ++++----- controls/SV-238201.rb | 56 ++++---- controls/SV-238202.rb | 56 ++++---- controls/SV-238203.rb | 54 ++++---- controls/SV-238204.rb | 127 +++++++++--------- controls/SV-238205.rb | 72 +++++----- controls/SV-238206.rb | 88 ++++++------- controls/SV-238207.rb | 128 +++++++++--------- controls/SV-238208.rb | 50 ++++--- controls/SV-238209.rb | 68 +++++----- controls/SV-238210.rb | 102 +++++++-------- controls/SV-238211.rb | 60 +++++---- controls/SV-238212.rb | 96 +++++++------- controls/SV-238213.rb | 82 ++++++------ controls/SV-238214.rb | 296 +++++++++++++++++++++--------------------- controls/SV-238215.rb | 134 ++++++++++--------- controls/SV-238216.rb | 106 ++++++++------- controls/SV-238217.rb | 120 +++++++++-------- controls/SV-238218.rb | 64 +++++---- controls/SV-238219.rb | 90 +++++++------ controls/SV-238220.rb | 68 +++++----- controls/SV-238221.rb | 66 +++++----- controls/SV-238222.rb | 66 +++++----- controls/SV-238223.rb | 74 +++++------ controls/SV-238224.rb | 82 ++++++------ controls/SV-238225.rb | 54 ++++---- controls/SV-238226.rb | 72 +++++----- controls/SV-238227.rb | 58 ++++----- controls/SV-238228.rb | 146 ++++++++++----------- controls/SV-238229.rb | 124 +++++++++--------- controls/SV-238230.rb | 98 +++++++------- controls/SV-238231.rb | 72 +++++----- controls/SV-238232.rb | 70 +++++----- controls/SV-238233.rb | 76 ++++++----- controls/SV-238234.rb | 48 ++++--- controls/SV-238235.rb | 68 +++++----- controls/SV-238236.rb | 146 ++++++++++----------- controls/SV-238237.rb | 58 ++++----- controls/SV-238238.rb | 100 +++++++------- controls/SV-238239.rb | 98 +++++++------- controls/SV-238240.rb | 98 +++++++------- controls/SV-238241.rb | 98 +++++++------- controls/SV-238242.rb | 100 +++++++------- controls/SV-238243.rb | 100 +++++++------- controls/SV-238244.rb | 106 ++++++++------- controls/SV-238245.rb | 98 +++++++------- controls/SV-238246.rb | 94 +++++++------- controls/SV-238247.rb | 82 ++++++------ controls/SV-238248.rb | 112 ++++++++-------- controls/SV-238249.rb | 98 +++++++------- controls/SV-238250.rb | 118 +++++++++-------- controls/SV-238251.rb | 98 +++++++------- controls/SV-238252.rb | 92 +++++++------ controls/SV-238253.rb | 94 +++++++------- controls/SV-238254.rb | 94 +++++++------- controls/SV-238255.rb | 94 +++++++------- controls/SV-238256.rb | 94 +++++++------- controls/SV-238257.rb | 96 +++++++------- controls/SV-238258.rb | 166 ++++++++++++----------- controls/SV-238264.rb | 128 +++++++++--------- controls/SV-238268.rb | 126 +++++++++--------- controls/SV-238271.rb | 160 +++++++++++------------ controls/SV-238277.rb | 92 +++++++------ controls/SV-238278.rb | 94 +++++++------- controls/SV-238279.rb | 94 +++++++------- controls/SV-238280.rb | 94 +++++++------- controls/SV-238281.rb | 92 +++++++------ controls/SV-238282.rb | 94 +++++++------- controls/SV-238283.rb | 92 +++++++------ controls/SV-238284.rb | 94 +++++++------- controls/SV-238285.rb | 92 +++++++------ controls/SV-238286.rb | 92 +++++++------ controls/SV-238287.rb | 92 +++++++------ controls/SV-238288.rb | 96 +++++++------- controls/SV-238289.rb | 92 +++++++------ controls/SV-238290.rb | 94 +++++++------- controls/SV-238291.rb | 94 +++++++------- controls/SV-238292.rb | 94 +++++++------- controls/SV-238293.rb | 94 +++++++------- controls/SV-238294.rb | 96 +++++++------- controls/SV-238295.rb | 122 +++++++++-------- controls/SV-238297.rb | 112 ++++++++-------- controls/SV-238298.rb | 158 +++++++++++----------- controls/SV-238299.rb | 74 +++++------ controls/SV-238300.rb | 94 +++++++------- controls/SV-238301.rb | 94 +++++++------- controls/SV-238302.rb | 98 +++++++------- controls/SV-238303.rb | 148 +++++++++++---------- controls/SV-238304.rb | 128 +++++++++--------- controls/SV-238305.rb | 154 +++++++++++----------- controls/SV-238306.rb | 154 +++++++++++----------- controls/SV-238307.rb | 138 ++++++++++---------- controls/SV-238308.rb | 54 ++++---- controls/SV-238309.rb | 130 +++++++++---------- controls/SV-238310.rb | 134 ++++++++++--------- controls/SV-238315.rb | 98 +++++++------- controls/SV-238316.rb | 98 +++++++------- controls/SV-238317.rb | 98 +++++++------- controls/SV-238318.rb | 84 ++++++------ controls/SV-238319.rb | 88 ++++++------- controls/SV-238320.rb | 98 +++++++------- controls/SV-238321.rb | 72 +++++----- controls/SV-238323.rb | 76 ++++++----- controls/SV-238324.rb | 94 +++++++------- controls/SV-238325.rb | 62 +++++---- controls/SV-238326.rb | 42 +++--- controls/SV-238327.rb | 66 +++++----- controls/SV-238328.rb | 150 +++++++++++---------- controls/SV-238329.rb | 94 +++++++------- controls/SV-238330.rb | 82 ++++++------ controls/SV-238331.rb | 80 ++++++------ controls/SV-238332.rb | 86 ++++++------ controls/SV-238333.rb | 88 ++++++------- controls/SV-238334.rb | 64 +++++---- controls/SV-238335.rb | 124 +++++++++--------- controls/SV-238336.rb | 77 ++++++----- controls/SV-238337.rb | 74 +++++------ controls/SV-238338.rb | 62 +++++---- controls/SV-238339.rb | 64 +++++---- controls/SV-238340.rb | 66 +++++----- controls/SV-238341.rb | 62 +++++---- controls/SV-238342.rb | 60 +++++---- controls/SV-238343.rb | 66 +++++----- controls/SV-238344.rb | 96 +++++++------- controls/SV-238345.rb | 92 +++++++------ controls/SV-238346.rb | 96 +++++++------- controls/SV-238347.rb | 72 +++++----- controls/SV-238348.rb | 72 +++++----- controls/SV-238349.rb | 78 ++++++----- controls/SV-238350.rb | 78 ++++++----- controls/SV-238351.rb | 78 ++++++----- controls/SV-238352.rb | 78 ++++++----- controls/SV-238353.rb | 120 +++++++++-------- controls/SV-238354.rb | 80 ++++++------ controls/SV-238355.rb | 98 +++++++------- controls/SV-238356.rb | 142 ++++++++++---------- controls/SV-238357.rb | 98 +++++++------- controls/SV-238358.rb | 78 ++++++----- controls/SV-238359.rb | 98 +++++++------- controls/SV-238360.rb | 132 ++++++++++--------- controls/SV-238361.rb | 68 +++++----- controls/SV-238362.rb | 70 +++++----- controls/SV-238363.rb | 72 +++++----- controls/SV-238364.rb | 104 ++++++++------- controls/SV-238365.rb | 124 +++++++++--------- controls/SV-238366.rb | 122 +++++++++-------- controls/SV-238367.rb | 142 ++++++++++---------- controls/SV-238368.rb | 78 ++++++----- controls/SV-238369.rb | 104 ++++++++------- controls/SV-238370.rb | 66 +++++----- controls/SV-238371.rb | 76 ++++++----- controls/SV-238372.rb | 70 +++++----- controls/SV-238373.rb | 74 +++++------ controls/SV-238374.rb | 70 +++++----- controls/SV-238376.rb | 90 +++++++------ controls/SV-238377.rb | 90 +++++++------ controls/SV-238378.rb | 92 +++++++------ controls/SV-238379.rb | 50 ++++--- controls/SV-238380.rb | 48 ++++--- controls/SV-251503.rb | 36 +++-- controls/SV-251504.rb | 42 +++--- controls/SV-251505.rb | 50 ++++--- controls/SV-252704.rb | 146 ++++++++++----------- 167 files changed, 7702 insertions(+), 8038 deletions(-) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index 808d44e..65e98ae 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -1,57 +1,55 @@ -# encoding: UTF-8 - -control "SV-238196" do - title "The Ubuntu operating system must provision temporary user accounts with an expiration time +control 'SV-238196' do + title "The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. " - desc "If temporary user accounts remain active when no longer needed or for an excessive period, -these accounts may be used to gain unauthorized access. To mitigate this risk, automated -termination of all temporary accounts must be set upon account creation. - -Temporary -accounts are established as part of normal account activation procedures when there is a need -for short-term accounts without the demand for immediacy in account activation. - -If -temporary accounts are used, the operating system must be configured to automatically -terminate these types of accounts after a DoD-defined time period of 72 hours. - -To address -access requirements, many operating systems may be integrated with enterprise-level + desc "If temporary user accounts remain active when no longer needed or for an excessive period, +these accounts may be used to gain unauthorized access. To mitigate this risk, automated +termination of all temporary accounts must be set upon account creation. + +Temporary +accounts are established as part of normal account activation procedures when there is a need +for short-term accounts without the demand for immediacy in account activation. + +If +temporary accounts are used, the operating system must be configured to automatically +terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address +access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. " - desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or -less. - -For every existing temporary account, run the following command to obtain its -account expiration information: - -$ sudo chage -l system_account_name | grep expires - + desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or +less. + +For every existing temporary account, run the following command to obtain its +account expiration information: + +$ sudo chage -l system_account_name | grep expires -Password expires : Aug 07, 2019 -Account expires : Aug 07, 2019 - -Verify that each of these -accounts has an expiration date set within 72 hours of account creation. - -If any temporary + +Password expires : Aug 07, 2019 +Account expires : Aug 07, 2019 + +Verify that each of these +accounts has an expiration date set within 72 hours of account creation. + +If any temporary account does not expire within 72 hours of that account's creation, this is a finding. " - desc "fix", "If a temporary account must be created, configure the system to terminate the account after a -72-hour time period with the following command to set an expiration date on it. - -Substitute -\"system_account_name\" with the account to be created. - -$ sudo chage -E $(date -d \"+3 days\" + desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a +72-hour time period with the following command to set an expiration date on it. + +Substitute +\"system_account_name\" with the account to be created. + +$ sudo chage -E $(date -d \"+3 days\" +%F) system_account_name " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000002-GPOS-00002 " - tag gid: "V-238196 " - tag rid: "SV-238196r653763_rule " - tag stig_id: "UBTU-20-010000 " - tag fix_id: "F-41365r653762_fix " - tag cci: ["CCI-000016"] - tag nist: ["AC-2 (2)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000002-GPOS-00002 ' + tag gid: 'V-238196 ' + tag rid: 'SV-238196r653763_rule ' + tag stig_id: 'UBTU-20-010000 ' + tag fix_id: 'F-41365r653762_fix ' + tag cci: ['CCI-000016'] + tag nist: ['AC-2 (2)'] temporary_accounts = input('temporary_accounts') @@ -67,4 +65,4 @@ end end end -end \ No newline at end of file +end diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index be927ac..fbd6302 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -1,111 +1,109 @@ -# encoding: UTF-8 - -control "SV-238197" do - title "The Ubuntu operating system must enable the graphical user logon banner to display the -Standard Mandatory DoD Notice and Consent Banner before granting local access to the system +control 'SV-238197' do + title "The Ubuntu operating system must enable the graphical user logon banner to display the +Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. " - desc "Display of a standardized and approved use notification before granting access to the Ubuntu -operating system ensures privacy and security notification verbiage used is consistent -with applicable federal laws, Executive Orders, directives, policies, regulations, -standards, and guidance. - -System use notifications are required only for access via logon -interfaces with human users and are not required when such human interfaces do not exist. - - -The banner must be formatted in accordance with applicable DoD policy. Use the following -verbiage for operating systems that can accommodate banners of 1300 characters: - -\"You are -accessing a U.S. Government (USG) Information System (IS) that is provided for -USG-authorized use only. - -By using this IS (which includes any device attached to this IS), -you consent to the following conditions: - --The USG routinely intercepts and monitors -communications on this IS for purposes including, but not limited to, penetration testing, -COMSEC monitoring, network operations and defense, personnel misconduct (PM), law -enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may -inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS -are not private, are subject to routine monitoring, interception, and search, and may be -disclosed or used for any USG-authorized purpose. - --This IS includes security measures -(e.g., authentication and access controls) to protect USG interests--not for your personal -benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent -to PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services by -attorneys, psychotherapists, or clergy, and their assistants. Such communications and -work product are private and confidential. See User Agreement for details.\" - -Use the -following verbiage for operating systems that have severe limitations on the number of -characters that can be displayed in the banner: - -\"I've read & consent to terms in IS user + desc "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user agreem't.\" " - desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD -Notice and Consent Banner before granting access to the operating system via a graphical user -logon. - -Note: If the system does not have a graphical user interface installed, this -requirement is Not Applicable. - -Check that the operating banner message for the graphical -user logon is enabled with the following command: - -$ grep ^banner-message-enable -/etc/gdm3/greeter.dconf-defaults - -banner-message-enable=true - -If the line is + desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD +Notice and Consent Banner before granting access to the operating system via a graphical user +logon. + +Note: If the system does not have a graphical user interface installed, this +requirement is Not Applicable. + +Check that the operating banner message for the graphical +user logon is enabled with the following command: + +$ grep ^banner-message-enable +/etc/gdm3/greeter.dconf-defaults + +banner-message-enable=true + +If the line is commented out or set to \"false\", this is a finding. " - desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. - -Look for the -\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and -uncomment it (remove the leading \"#\" characters): - -Note: The lines are all near the bottom of -the file but not adjacent to each other. - -[org/gnome/login-screen] - - -banner-message-enable=true - -Update the GDM with the new configuration: - -$ sudo dconf -update + desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. + +Look for the +\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and +uncomment it (remove the leading \"#\" characters): + +Note: The lines are all near the bottom of +the file but not adjacent to each other. + +[org/gnome/login-screen] + + +banner-message-enable=true + +Update the GDM with the new configuration: + +$ sudo dconf +update $ sudo systemctl restart gdm3 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000023-GPOS-00006 " - tag gid: "V-238197 " - tag rid: "SV-238197r653766_rule " - tag stig_id: "UBTU-20-010002 " - tag fix_id: "F-41366r653765_fix " - tag cci: ["CCI-000048"] - tag nist: ["AC-8 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000023-GPOS-00006 ' + tag gid: 'V-238197 ' + tag rid: 'SV-238197r653766_rule ' + tag stig_id: 'UBTU-20-010002 ' + tag fix_id: 'F-41366r653765_fix ' + tag cci: ['CCI-000048'] + tag nist: ['AC-8 a'] xorg_status = command('which Xorg').exit_status if xorg_status == 0 describe 'banner-message-enable must be set to true' do - subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') } - its('stdout') { should match /(banner-message-enable).+=.+(true)/ } + subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') } + its('stdout') { should match /(banner-message-enable).+=.+(true)/ } end else describe command('which Xorg').exit_status do skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end \ No newline at end of file +end diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index f8075d6..8e982a8 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -1,125 +1,123 @@ -# encoding: UTF-8 - -control "SV-238198" do - title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent +control 'SV-238198' do + title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. " - desc "Display of a standardized and approved use notification before granting access to the Ubuntu -operating system ensures privacy and security notification verbiage used is consistent -with applicable federal laws, Executive Orders, directives, policies, regulations, -standards, and guidance. - -System use notifications are required only for access via logon -interfaces with human users and are not required when such human interfaces do not exist. - - -The banner must be formatted in accordance with applicable DoD policy. Use the following -verbiage for operating systems that can accommodate banners of 1300 characters: - -\"You are -accessing a U.S. Government (USG) Information System (IS) that is provided for -USG-authorized use only. - -By using this IS (which includes any device attached to this IS), -you consent to the following conditions: - --The USG routinely intercepts and monitors -communications on this IS for purposes including, but not limited to, penetration testing, -COMSEC monitoring, network operations and defense, personnel misconduct (PM), law -enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may -inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS -are not private, are subject to routine monitoring, interception, and search, and may be -disclosed or used for any USG-authorized purpose. - --This IS includes security measures -(e.g., authentication and access controls) to protect USG interests--not for your personal -benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent -to PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services by -attorneys, psychotherapists, or clergy, and their assistants. Such communications and -work product are private and confidential. See User Agreement for details.\" - -Use the -following verbiage for operating systems that have severe limitations on the number of -characters that can be displayed in the banner: - -\"I've read & consent to terms in IS user + desc "Display of a standardized and approved use notification before granting access to the Ubuntu +operating system ensures privacy and security notification verbiage used is consistent +with applicable federal laws, Executive Orders, directives, policies, regulations, +standards, and guidance. + +System use notifications are required only for access via logon +interfaces with human users and are not required when such human interfaces do not exist. + + +The banner must be formatted in accordance with applicable DoD policy. Use the following +verbiage for operating systems that can accommodate banners of 1300 characters: + +\"You are +accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user agreem't.\" " - desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent -Banner before granting access to the operating system via a graphical user logon. - -Note: If -the system does not have a graphical user interface installed, this requirement is Not -Applicable. - -Verify the operating system displays the exact approved Standard Mandatory -DoD Notice and Consent Banner text with the command: - -$ grep ^banner-message-text -/etc/gdm3/greeter.dconf-defaults - -banner-message-text=\"You are accessing a U.S. -Government \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use -only.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the -following conditions:\\s+-The USG routinely intercepts and monitors communications on -this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, -network operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and -counterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize -data stored on this IS.\\s+-Communications using, or data stored on, this IS are not private, -are subject to routine monitoring, interception, and search, and may be disclosed or used for -any USG-authorized purpose.\\s+-This IS includes security measures \\(e.g., -authentication and access controls\\) to protect USG interests--not for your personal -benefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute -consent to PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services by -attorneys, psychotherapists, or clergy, and their assistants. Such communications and -work product are private and confidential. See User Agreement for details.\" - -If the -banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD + desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +Banner before granting access to the operating system via a graphical user logon. + +Note: If +the system does not have a graphical user interface installed, this requirement is Not +Applicable. + +Verify the operating system displays the exact approved Standard Mandatory +DoD Notice and Consent Banner text with the command: + +$ grep ^banner-message-text +/etc/gdm3/greeter.dconf-defaults + +banner-message-text=\"You are accessing a U.S. +Government \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use +only.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the +following conditions:\\s+-The USG routinely intercepts and monitors communications on +this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and +counterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize +data stored on this IS.\\s+-Communications using, or data stored on, this IS are not private, +are subject to routine monitoring, interception, and search, and may be disclosed or used for +any USG-authorized purpose.\\s+-This IS includes security measures \\(e.g., +authentication and access controls\\) to protect USG interests--not for your personal +benefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute +consent to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +If the +banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. " - desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. - -Set the \"banner-message-text\" line -to contain the appropriate banner message text as shown below: - -banner-message-text='You -are accessing a U.S. Government (USG) Information System (IS) that is provided for -USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this -IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and -monitors communications on this IS for purposes including, but not limited to, penetration -testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), -law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the -USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored -on, this IS are not private, are subject to routine monitoring, interception, and search, and -may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security -measures (e.g., authentication and access controls) to protect USG interests--not for your -personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not -constitute consent to PM, LE or CI investigative searching or monitoring of the content of -privileged communications, or work product, related to personal representation or -services by attorneys, psychotherapists, or clergy, and their assistants. Such -communications and work product are private and confidential. See User Agreement for -details.' - -Update the GDM with the new configuration: - -$ sudo dconf update -$ sudo + desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file. + +Set the \"banner-message-text\" line +to contain the appropriate banner message text as shown below: + +banner-message-text='You +are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this +IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and +monitors communications on this IS for purposes including, but not limited to, penetration +testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), +law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the +USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored +on, this IS are not private, are subject to routine monitoring, interception, and search, and +may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security +measures (e.g., authentication and access controls) to protect USG interests--not for your +personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not +constitute consent to PM, LE or CI investigative searching or monitoring of the content of +privileged communications, or work product, related to personal representation or +services by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User Agreement for +details.' + +Update the GDM with the new configuration: + +$ sudo dconf update +$ sudo systemctl restart gdm3 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000023-GPOS-00006 " - tag gid: "V-238198 " - tag rid: "SV-238198r653769_rule " - tag stig_id: "UBTU-20-010003 " - tag fix_id: "F-41367r653768_fix " - tag cci: ["CCI-000048"] - tag nist: ["AC-8 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000023-GPOS-00006 ' + tag gid: 'V-238198 ' + tag rid: 'SV-238198r653769_rule ' + tag stig_id: 'UBTU-20-010003 ' + tag fix_id: 'F-41367r653768_fix ' + tag cci: ['CCI-000048'] + tag nist: ['AC-8 a'] banner_text = input('banner_text') clean_banner = banner_text.gsub(/[\r\n\s]/, '') @@ -127,13 +125,13 @@ if package('gdm3').installed? describe 'The SSHD Banner is set to the standard banner and has the correct text' do - subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '')} + subject { file(gdm3_defaults_file).content.gsub(/[\r\n\s]/, '') } it { should cmp clean_banner } end else impact 0.0 - describe "Package gdm3 not installed" do - skip "Package gdm3 not installed, this control Not Applicable" + describe 'Package gdm3 not installed' do + skip 'Package gdm3 not installed, this control Not Applicable' end end -end \ No newline at end of file +end diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index df20703..3d6875a 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -1,67 +1,65 @@ -# encoding: UTF-8 - -control "SV-238199" do - title "The Ubuntu operating system must retain a user's session lock until that user reestablishes +control 'SV-238199' do + title "The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures. " - desc "A session lock is a temporary action taken when a user stops work and moves away from the -immediate physical vicinity of the information system but does not want to log out because of -the temporary nature of the absence. - -The session lock is implemented at the point where -session activity can be determined. - -Regardless of where the session lock is determined and -implemented, once invoked, a session lock of the Ubuntu operating system must remain in place -until the user reauthenticates. No other activity aside from reauthentication must unlock + desc "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. + +The session lock is implemented at the point where +session activity can be determined. + +Regardless of where the session lock is determined and +implemented, once invoked, a session lock of the Ubuntu operating system must remain in place +until the user reauthenticates. No other activity aside from reauthentication must unlock the system. " - desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled. - + desc 'check', "Verify the Ubuntu operation system has a graphical user interface session lock enabled. + + +Note: If the Ubuntu operating system does not have a graphical user interface installed, +this requirement is Not Applicable. + +Get the \"lock-enabled\" setting to verify the +graphical user interface session has the lock enabled with the following command: -Note: If the Ubuntu operating system does not have a graphical user interface installed, -this requirement is Not Applicable. - -Get the \"lock-enabled\" setting to verify the -graphical user interface session has the lock enabled with the following command: - -$ sudo -gsettings get org.gnome.desktop.screensaver lock-enabled - - true - -If \"lock-enabled\" is +$ sudo +gsettings get org.gnome.desktop.screensaver lock-enabled + + true + +If \"lock-enabled\" is not set to \"true\", this is a finding. " - desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user -interface session. - -Note: If the Ubuntu operating system does not have a graphical user -interface installed, this requirement is Not Applicable. - -Set the \"lock-enabled\" setting -to allow graphical user interface session locks with the following command: - -$ sudo + desc 'fix', "Configure the Ubuntu operating system to allow a user to lock the current graphical user +interface session. + +Note: If the Ubuntu operating system does not have a graphical user +interface installed, this requirement is Not Applicable. + +Set the \"lock-enabled\" setting +to allow graphical user interface session locks with the following command: + +$ sudo gsettings set org.gnome.desktop.screensaver lock-enabled true " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000028-GPOS-00009 " - tag satisfies: ["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"] - tag gid: "V-238199 " - tag rid: "SV-238199r653772_rule " - tag stig_id: "UBTU-20-010004 " - tag fix_id: "F-41368r653771_fix " - tag cci: ["CCI-000056","CCI-000057"] - tag nist: ["AC-11 b","AC-11 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000028-GPOS-00009 ' + tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010) + tag gid: 'V-238199 ' + tag rid: 'SV-238199r653772_rule ' + tag stig_id: 'UBTU-20-010004 ' + tag fix_id: 'F-41368r653771_fix ' + tag cci: %w(CCI-000056 CCI-000057) + tag nist: ['AC-11 b', 'AC-11 a'] xorg_status = command('which Xorg').exit_status if xorg_status == 0 describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do - its('stdout') { should cmp 'true'} - end + its('stdout') { should cmp 'true' } + end else describe command('which Xorg').exit_status do skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end \ No newline at end of file +end diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb index d9ee217..4957365 100644 --- a/controls/SV-238200.rb +++ b/controls/SV-238200.rb @@ -1,41 +1,39 @@ -# encoding: UTF-8 - -control "SV-238200" do - title "The Ubuntu operating system must allow users to directly initiate a session lock for all +control 'SV-238200' do + title "The Ubuntu operating system must allow users to directly initiate a session lock for all connection types. " - desc "A session lock is a temporary action taken when a user stops work and moves away from the -immediate physical vicinity of the information system but does not want to log out because of -the temporary nature of the absence. - -The session lock is implemented at the point where -session activity can be determined. Rather than be forced to wait for a period of time to expire -before the user session can be locked, the Ubuntu operating systems need to provide users with -the ability to manually invoke a session lock so users may secure their session if they need to + desc "A session lock is a temporary action taken when a user stops work and moves away from the +immediate physical vicinity of the information system but does not want to log out because of +the temporary nature of the absence. + +The session lock is implemented at the point where +session activity can be determined. Rather than be forced to wait for a period of time to expire +before the user session can be locked, the Ubuntu operating systems need to provide users with +the ability to manually invoke a session lock so users may secure their session if they need to temporarily vacate the immediate physical vicinity. " - desc "check", "Verify the Ubuntu operating system has the \"vlock\" package installed by running the -following command: - -$ dpkg -l | grep vlock - + desc 'check', "Verify the Ubuntu operating system has the \"vlock\" package installed by running the +following command: + +$ dpkg -l | grep vlock + If \"vlock\" is not installed, this is a finding. " - desc "fix", "Install the \"vlock\" package (if it is not already installed) by running the following -command: - + desc 'fix', "Install the \"vlock\" package (if it is not already installed) by running the following +command: + $ sudo apt-get install vlock " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000030-GPOS-00011 " - tag satisfies: ["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"] - tag gid: "V-238200 " - tag rid: "SV-238200r653775_rule " - tag stig_id: "UBTU-20-010005 " - tag fix_id: "F-41369r653774_fix " - tag cci: ["CCI-000058","CCI-000060"] - tag nist: ["AC-11 a","AC-11 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000030-GPOS-00011 ' + tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012) + tag gid: 'V-238200 ' + tag rid: 'SV-238200r653775_rule ' + tag stig_id: 'UBTU-20-010005 ' + tag fix_id: 'F-41369r653774_fix ' + tag cci: %w(CCI-000058 CCI-000060) + tag nist: ['AC-11 a', 'AC-11 (1)'] describe package('vlock') do it { should be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index b84d519..cd90abd 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -1,36 +1,34 @@ -# encoding: UTF-8 - -control "SV-238201" do - title "The Ubuntu operating system must map the authenticated identity to the user or group account +control 'SV-238201' do + title "The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. " - desc "Without mapping the certificate used to authenticate to the user account, the ability to -determine the identity of the individual user or group will not be available for forensic + desc "Without mapping the certificate used to authenticate to the user account, the ability to +determine the identity of the individual user or group will not be available for forensic analysis. " - desc "check", "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file: - + desc 'check', "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file: + -$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf -use_mappers = pwent - -If +$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf +use_mappers = pwent + +If \"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding. " - desc "fix", "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a -comma-separated list of mappers, add it to the list, separated by comma, and before the null -mapper. - -If the system is missing an \"/etc/pam_pkcs11/\" directory and an -\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify -accordingly at + desc 'fix', "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a +comma-separated list of mappers, add it to the list, separated by comma, and before the null +mapper. + +If the system is missing an \"/etc/pam_pkcs11/\" directory and an +\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify +accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000068-GPOS-00036 " - tag gid: "V-238201 " - tag rid: "SV-238201r832933_rule " - tag stig_id: "UBTU-20-010006 " - tag fix_id: "F-41370r653777_fix " - tag cci: ["CCI-000187"] - tag nist: ["IA-5 (2) (a) (2)"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000068-GPOS-00036 ' + tag gid: 'V-238201 ' + tag rid: 'SV-238201r832933_rule ' + tag stig_id: 'UBTU-20-010006 ' + tag fix_id: 'F-41370r653777_fix ' + tag cci: ['CCI-000187'] + tag nist: ['IA-5 (2) (a) (2)'] config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' config_file_exists = file(config_file).exist? @@ -40,9 +38,9 @@ its('use_mappers') { should cmp 'pwent' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb index 2db4e4e..502d9c9 100644 --- a/controls/SV-238202.rb +++ b/controls/SV-238202.rb @@ -1,39 +1,37 @@ -# encoding: UTF-8 - -control "SV-238202" do - title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. +control 'SV-238202' do + title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. " - desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat -the password reuse or history enforcement requirement. If users are allowed to immediately -and continually change their password, then the password could be repeatedly changed in a + desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat +the password reuse or history enforcement requirement. If users are allowed to immediately +and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. " - desc "check", "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for -new user accounts by running the following command: - -$ grep -i ^pass_min_days -/etc/login.defs - -PASS_MIN_DAYS 1 - -If the \"PASS_MIN_DAYS\" parameter value is less than + desc 'check', "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for +new user accounts by running the following command: + +$ grep -i ^pass_min_days +/etc/login.defs + +PASS_MIN_DAYS 1 + +If the \"PASS_MIN_DAYS\" parameter value is less than \"1\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. + desc 'fix', "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. + + +Add or modify the following line in the \"/etc/login.defs\" file: - -Add or modify the following line in the \"/etc/login.defs\" file: - PASS_MIN_DAYS 1 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000075-GPOS-00043 " - tag gid: "V-238202 " - tag rid: "SV-238202r653781_rule " - tag stig_id: "UBTU-20-010007 " - tag fix_id: "F-41371r653780_fix " - tag cci: ["CCI-000198"] - tag nist: ["IA-5 (1) (d)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000075-GPOS-00043 ' + tag gid: 'V-238202 ' + tag rid: 'SV-238202r653781_rule ' + tag stig_id: 'UBTU-20-010007 ' + tag fix_id: 'F-41371r653780_fix ' + tag cci: ['CCI-000198'] + tag nist: ['IA-5 (1) (d)'] describe login_defs do its('PASS_MIN_DAYS') { should >= '1' } end -end \ No newline at end of file +end diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb index 0bbd8af..f19f5cc 100644 --- a/controls/SV-238203.rb +++ b/controls/SV-238203.rb @@ -1,38 +1,36 @@ -# encoding: UTF-8 - -control "SV-238203" do - title "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. +control 'SV-238203' do + title "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. " - desc "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to -be changed periodically. If the operating system does not limit the lifetime of passwords and -force users to change their passwords, there is the risk that the operating system passwords + desc "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to +be changed periodically. If the operating system does not limit the lifetime of passwords and +force users to change their passwords, there is the risk that the operating system passwords could be compromised. " - desc "check", "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user -accounts by running the following command: - -$ grep -i ^pass_max_days /etc/login.defs + desc 'check', "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user +accounts by running the following command: + +$ grep -i ^pass_max_days /etc/login.defs + +PASS_MAX_DAYS 60 -PASS_MAX_DAYS 60 - -If the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented +If the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. - -Add -or modify the following line in the \"/etc/login.defs\" file: - + desc 'fix', "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. + +Add +or modify the following line in the \"/etc/login.defs\" file: + PASS_MAX_DAYS 60 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000076-GPOS-00044 " - tag gid: "V-238203 " - tag rid: "SV-238203r653784_rule " - tag stig_id: "UBTU-20-010008 " - tag fix_id: "F-41372r653783_fix " - tag cci: ["CCI-000199"] - tag nist: ["IA-5 (1) (d)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000076-GPOS-00044 ' + tag gid: 'V-238203 ' + tag rid: 'SV-238203r653784_rule ' + tag stig_id: 'UBTU-20-010008 ' + tag fix_id: 'F-41372r653783_fix ' + tag cci: ['CCI-000199'] + tag nist: ['IA-5 (1) (d)'] describe login_defs do its('PASS_MAX_DAYS') { should cmp <= 60 } end -end \ No newline at end of file +end diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index 7530b81..bd570f4 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -1,76 +1,73 @@ -# encoding: UTF-8 - -control "SV-238204" do - title "Ubuntu operating systems when booted must require authentication upon booting into +control 'SV-238204' do + title "Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes. " - desc "To mitigate the risk of unauthorized access to sensitive information by entities that have -been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web -portals) must be properly configured to incorporate access control methods that do not rely -solely on the possession of a certificate for access. - -Successful authentication must not -automatically give an entity access to an asset or security boundary. Authorization -procedures and controls must be implemented to ensure each authenticated entity also has a -validated and current authorization. Authorization is the process of determining whether -an entity, once authenticated, is permitted to access a specific asset. Information systems -use access control policies and enforcement mechanisms to implement this requirement. - + desc "To mitigate the risk of unauthorized access to sensitive information by entities that have +been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web +portals) must be properly configured to incorporate access control methods that do not rely +solely on the possession of a certificate for access. + +Successful authentication must not +automatically give an entity access to an asset or security boundary. Authorization +procedures and controls must be implemented to ensure each authenticated entity also has a +validated and current authorization. Authorization is the process of determining whether +an entity, once authenticated, is permitted to access a specific asset. Information systems +use access control policies and enforcement mechanisms to implement this requirement. -Access control policies include identity-based policies, role-based policies, and -attribute-based policies. Access enforcement mechanisms include access control lists, -access control matrices, and cryptography. These policies and mechanisms must be employed -by the application to control access between users (or processes acting on behalf of users) -and objects (e.g., devices, files, records, processes, programs, and domains) in the + +Access control policies include identity-based policies, role-based policies, and +attribute-based policies. Access enforcement mechanisms include access control lists, +access control matrices, and cryptography. These policies and mechanisms must be employed +by the application to control access between users (or processes acting on behalf of users) +and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. " - desc "check", "Run the following command to verify the encrypted password is set: - -$ sudo grep -i password -/boot/grub/grub.cfg - -password_pbkdf2 root -grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG - -If the root password + desc 'check', "Run the following command to verify the encrypted password is set: + +$ sudo grep -i password +/boot/grub/grub.cfg + +password_pbkdf2 root +grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG + +If the root password entry does not begin with \"password_pbkdf2\", this is a finding. " - desc "fix", "Configure the system to require a password for authentication upon booting into single-user -and maintenance modes. - -Generate an encrypted (grub) password for root with the following -command: - -$ grub-mkpasswd-pbkdf2 -Enter Password: -Reenter Password: -PBKDF2 hash of -your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG - -Using -the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following -command to add a boot password: - -$ sudo sed -i '$i set -superusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom - + desc 'fix', "Configure the system to require a password for authentication upon booting into single-user +and maintenance modes. + +Generate an encrypted (grub) password for root with the following +command: -where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. - -Generate an -updated \"grub.conf\" file with the new password by using the following command: - -$ sudo +$ grub-mkpasswd-pbkdf2 +Enter Password: +Reenter Password: +PBKDF2 hash of +your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG + +Using +the hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following +command to add a boot password: + +$ sudo sed -i '$i set +superusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom + + +where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. + +Generate an +updated \"grub.conf\" file with the new password by using the following command: + +$ sudo update-grub " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000080-GPOS-00048 " - tag gid: "V-238204 " - tag rid: "SV-238204r832936_rule " - tag stig_id: "UBTU-20-010009 " - tag fix_id: "F-41373r832935_fix " - tag cci: ["CCI-000213"] - tag nist: ["AC-3"] - + tag severity: 'high ' + tag gtitle: 'SRG-OS-000080-GPOS-00048 ' + tag gid: 'V-238204 ' + tag rid: 'SV-238204r832936_rule ' + tag stig_id: 'UBTU-20-010009 ' + tag fix_id: 'F-41373r832935_fix ' + tag cci: ['CCI-000213'] + tag nist: ['AC-3'] describe grub_conf('/boot/grub/grub.cfg') do its('password') { should match '^password_pbkdf2' } end -end \ No newline at end of file +end diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb index 5b09217..5d835c7 100644 --- a/controls/SV-238205.rb +++ b/controls/SV-238205.rb @@ -1,45 +1,43 @@ -# encoding: UTF-8 - -control "SV-238205" do - title "The Ubuntu operating system must uniquely identify interactive users. " - desc "To assure accountability and prevent unauthenticated access, organizational users must be -identified and authenticated to prevent potential misuse and compromise of the system. - - -Organizational users include organizational employees or individuals the organization -deems to have equivalent status of employees (e.g., contractors). Organizational users -(and processes acting on behalf of users) must be uniquely identified and authenticated to -all accesses, except for the following: - -1) Accesses explicitly identified and documented -by the organization. Organizations document specific user actions that can be performed on -the information system without identification or authentication; and - -2) Accesses that -occur through authorized use of group authenticators without individual authentication. -Organizations may require unique identification of individuals in group accounts (e.g., +control 'SV-238205' do + title 'The Ubuntu operating system must uniquely identify interactive users. ' + desc "To assure accountability and prevent unauthenticated access, organizational users must be +identified and authenticated to prevent potential misuse and compromise of the system. + + +Organizational users include organizational employees or individuals the organization +deems to have equivalent status of employees (e.g., contractors). Organizational users +(and processes acting on behalf of users) must be uniquely identified and authenticated to +all accesses, except for the following: + +1) Accesses explicitly identified and documented +by the organization. Organizations document specific user actions that can be performed on +the information system without identification or authentication; and + +2) Accesses that +occur through authorized use of group authenticators without individual authentication. +Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. " - desc "check", "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive -users with the following command: - -$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd - -If + desc 'check', "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive +users with the following command: + +$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd + +If output is produced and the accounts listed are interactive user accounts, this is a finding. " - desc "fix", "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate + desc 'fix', "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate UID with a unique UID. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000104-GPOS-00051 " - tag satisfies: ["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"] - tag gid: "V-238205 " - tag rid: "SV-238205r653790_rule " - tag stig_id: "UBTU-20-010010 " - tag fix_id: "F-41374r653789_fix " - tag cci: ["CCI-000764","CCI-000804"] - tag nist: ["IA-2","IA-8"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000104-GPOS-00051 ' + tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062) + tag gid: 'V-238205 ' + tag rid: 'SV-238205r653790_rule ' + tag stig_id: 'UBTU-20-010010 ' + tag fix_id: 'F-41374r653789_fix ' + tag cci: %w(CCI-000764 CCI-000804) + tag nist: %w(IA-2 IA-8) user_list = command("awk -F \":\" 'list[$3]++{print $1}' /etc/passwd").stdout.split("\n") findings = Set[] @@ -51,4 +49,4 @@ subject { findings.to_a } it { should be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb index 6efc477..366cf01 100644 --- a/controls/SV-238206.rb +++ b/controls/SV-238206.rb @@ -1,53 +1,51 @@ -# encoding: UTF-8 - -control "SV-238206" do - title "The Ubuntu operating system must ensure only users who need access to security functions are +control 'SV-238206' do + title "The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. " - desc "An isolation boundary provides access control and protects the integrity of the hardware, -software, and firmware that perform security functions. - -Security functions are the -hardware, software, and/or firmware of the information system responsible for enforcing -the system security policy and supporting the isolation of code and data on which the -protection is based. Operating systems implement code separation (i.e., separation of -security functions from nonsecurity functions) in a number of ways, including through the -provision of security kernels via processor rings or processor modes. For non-kernel code, -security function isolation is often achieved through file system protections that serve to -protect the code on disk and address space protections that protect executing code. - + desc "An isolation boundary provides access control and protects the integrity of the hardware, +software, and firmware that perform security functions. + +Security functions are the +hardware, software, and/or firmware of the information system responsible for enforcing +the system security policy and supporting the isolation of code and data on which the +protection is based. Operating systems implement code separation (i.e., separation of +security functions from nonsecurity functions) in a number of ways, including through the +provision of security kernels via processor rings or processor modes. For non-kernel code, +security function isolation is often achieved through file system protections that serve to +protect the code on disk and address space protections that protect executing code. + -Developers and implementers can increase the assurance in security functions by employing -well-defined security policy models; structured, disciplined, and rigorous hardware and -software development techniques; and sound system/security engineering principles. -Implementation may include isolation of memory space and libraries. - -The Ubuntu operating -system restricts access to security functions through the use of access control mechanisms +Developers and implementers can increase the assurance in security functions by employing +well-defined security policy models; structured, disciplined, and rigorous hardware and +software development techniques; and sound system/security engineering principles. +Implementation may include isolation of memory space and libraries. + +The Ubuntu operating +system restricts access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. " - desc "check", "Verify the sudo group has only members who should have access to security functions. - -$ grep -sudo /etc/group - -sudo:x:27:foo - -If the sudo group contains users not needing access to + desc 'check', "Verify the sudo group has only members who should have access to security functions. + +$ grep +sudo /etc/group + +sudo:x:27:foo + +If the sudo group contains users not needing access to security functions, this is a finding. " - desc "fix", "Configure the sudo group with only members requiring access to security functions. - -To -remove a user from the sudo group, run: - + desc 'fix', "Configure the sudo group with only members requiring access to security functions. + +To +remove a user from the sudo group, run: + $ sudo gpasswd -d <username> sudo " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000134-GPOS-00068 " - tag gid: "V-238206 " - tag rid: "SV-238206r653793_rule " - tag stig_id: "UBTU-20-010012 " - tag fix_id: "F-41375r653792_fix " - tag cci: ["CCI-001084"] - tag nist: ["SC-3"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000134-GPOS-00068 ' + tag gid: 'V-238206 ' + tag rid: 'SV-238206r653793_rule ' + tag stig_id: 'UBTU-20-010012 ' + tag fix_id: 'F-41375r653792_fix ' + tag cci: ['CCI-001084'] + tag nist: ['SC-3'] sudo_accounts = input('sudo_accounts') @@ -67,4 +65,4 @@ end end end -end \ No newline at end of file +end diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index d6b2ef3..abd64d7 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 - -control "SV-238207" do - title "The Ubuntu operating system must automatically terminate a user session after inactivity +control 'SV-238207' do + title "The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired. " - desc "Automatic session termination addresses the termination of user-initiated logical -sessions in contrast to the termination of network connections that are associated with -communications sessions (i.e., network disconnect). A logical session (for local, -network, and remote access) is initiated whenever a user (or process acting on behalf of a -user) accesses an organizational information system. Such user sessions can be terminated -(and thus terminate user access) without terminating network sessions. - -Session -termination terminates all processes associated with a user's logical session except those -processes that are specifically created by the user (i.e., session owner) to continue after -the session is terminated. - -Conditions or trigger events requiring automatic session -termination can include, for example, organization-defined periods of user inactivity, -targeted responses to certain types of incidents, and time-of-day restrictions on -information system use. - -This capability is typically reserved for specific operating -system functionality where the system owner, data owner, or organization requires + desc "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific operating +system functionality where the system owner, data owner, or organization requires additional assurance. " - desc "check", "Verify the operating system automatically terminates a user session after inactivity -timeouts have expired. - -Check that \"TMOUT\" environment variable is set in the -\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by -performing the following command: - -$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc -/etc/profile.d/* - -TMOUT=600 - -If \"TMOUT\" is not set, or if the value is \"0\" or is commented + desc 'check', "Verify the operating system automatically terminates a user session after inactivity +timeouts have expired. + +Check that \"TMOUT\" environment variable is set in the +\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by +performing the following command: + +$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc +/etc/profile.d/* + +TMOUT=600 + +If \"TMOUT\" is not set, or if the value is \"0\" or is commented out, this is a finding. " - desc "fix", "Configure the operating system to automatically terminate a user session after inactivity -timeouts have expired or at shutdown. - -Create the file -\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist. - -Modify or append the -following line in the \"/etc/profile.d/99-terminal_tmout.sh \" file: - -TMOUT=600 - -This -will set a timeout value of 10 minutes for all future sessions. - -To set the timeout for the -current sessions, execute the following command over the terminal session: - -$ export + desc 'fix', "Configure the operating system to automatically terminate a user session after inactivity +timeouts have expired or at shutdown. + +Create the file +\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist. + +Modify or append the +following line in the \"/etc/profile.d/99-terminal_tmout.sh \" file: + +TMOUT=600 + +This +will set a timeout value of 10 minutes for all future sessions. + +To set the timeout for the +current sessions, execute the following command over the terminal session: + +$ export TMOUT=600 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000279-GPOS-00109 " - tag gid: "V-238207 " - tag rid: "SV-238207r853404_rule " - tag stig_id: "UBTU-20-010013 " - tag fix_id: "F-41376r653795_fix " - tag cci: ["CCI-002361"] - tag nist: ["AC-12"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000279-GPOS-00109 ' + tag gid: 'V-238207 ' + tag rid: 'SV-238207r853404_rule ' + tag stig_id: 'UBTU-20-010013 ' + tag fix_id: 'F-41376r653795_fix ' + tag cci: ['CCI-002361'] + tag nist: ['AC-12'] - profile_files=command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries - timeout=input("tmout").to_s + profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries + timeout = input('tmout').to_s describe.one do profile_files.each do |pf| @@ -76,4 +74,4 @@ end end end -end \ No newline at end of file +end diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index f900820..117b511 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -1,37 +1,35 @@ -# encoding: UTF-8 - -control "SV-238208" do - title "The Ubuntu operating system must require users to reauthenticate for privilege escalation +control 'SV-238208' do + title "The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles. " - desc "Without reauthentication, users may access resources or perform tasks for which they do not -have authorization. - -When operating systems provide the capability to escalate a + desc "Without reauthentication, users may access resources or perform tasks for which they do not +have authorization. + +When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. " - desc "check", "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by -running the following command: - -$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers -/etc/sudoers.d/* - -If any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the + desc 'check', "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by +running the following command: + +$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers +/etc/sudoers.d/* + +If any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the command, this is a finding. " - desc "fix", "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or + desc 'fix', "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000373-GPOS-00156 " - tag satisfies: ["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"] - tag gid: "V-238208 " - tag rid: "SV-238208r853405_rule " - tag stig_id: "UBTU-20-010014 " - tag fix_id: "F-41377r653798_fix " - tag cci: ["CCI-002038"] - tag nist: ["IA-11"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000373-GPOS-00156 ' + tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157) + tag gid: 'V-238208 ' + tag rid: 'SV-238208r853405_rule ' + tag stig_id: 'UBTU-20-010014 ' + tag fix_id: 'F-41377r653798_fix ' + tag cci: ['CCI-002038'] + tag nist: ['IA-11'] describe command("egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers") do its('stdout.strip') { should be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb index 99bc842..38365fc 100644 --- a/controls/SV-238209.rb +++ b/controls/SV-238209.rb @@ -1,44 +1,42 @@ -# encoding: UTF-8 - -control "SV-238209" do - title "The Ubuntu operating system default filesystem permissions must be defined in such a way that +control 'SV-238209' do + title "The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. " - desc "Setting the most restrictive default permissions ensures that when new accounts are created + desc "Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. " - desc "check", "Verify the Ubuntu operating system defines default permissions for all authenticated users -in such a way that the user can read and modify only their own files. - -Verify the Ubuntu -operating system defines default permissions for all authenticated users with the -following command: - -$ grep -i \"umask\" /etc/login.defs - -UMASK 077 - -If the \"UMASK\" -variable is set to \"000\", this is a finding with the severity raised to a CAT I. - -If the value of + desc 'check', "Verify the Ubuntu operating system defines default permissions for all authenticated users +in such a way that the user can read and modify only their own files. + +Verify the Ubuntu +operating system defines default permissions for all authenticated users with the +following command: + +$ grep -i \"umask\" /etc/login.defs + +UMASK 077 + +If the \"UMASK\" +variable is set to \"000\", this is a finding with the severity raised to a CAT I. + +If the value of \"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding. " - desc "fix", "Configure the system to define the default permissions for all authenticated users in such a -way that the user can read and modify only their own files. - -Edit the \"UMASK\" parameter in the -\"/etc/login.defs\" file to match the example below: - + desc 'fix', "Configure the system to define the default permissions for all authenticated users in such a +way that the user can read and modify only their own files. + +Edit the \"UMASK\" parameter in the +\"/etc/login.defs\" file to match the example below: + UMASK 077 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000480-GPOS-00228 " - tag gid: "V-238209 " - tag rid: "SV-238209r653802_rule " - tag stig_id: "UBTU-20-010016 " - tag fix_id: "F-41378r653801_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000480-GPOS-00228 ' + tag gid: 'V-238209 ' + tag rid: 'SV-238209r653802_rule ' + tag stig_id: 'UBTU-20-010016 ' + tag fix_id: 'F-41378r653801_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe login_defs do its('UMASK') { should eq '077' } end -end \ No newline at end of file +end diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index a33a1f2..9b407aa 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -1,75 +1,73 @@ -# encoding: UTF-8 - -control "SV-238210" do - title "The Ubuntu operating system must implement smart card logins for multifactor +control 'SV-238210' do + title "The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts. " - desc "Without the use of multifactor authentication, the ease of access to privileged functions is -greatly increased. - -Multifactor authentication requires using two or more factors to -achieve authentication. - -Factors include: -1) something a user knows (e.g., -password/PIN); -2) something a user has (e.g., cryptographic identification device, -token); and -3) something a user is (e.g., biometric). - -A privileged account is defined as an -information system account with authorizations of a privileged user. - -Network access is -defined as access to an information system by a user (or a process acting on behalf of a user) -communicating through a network (e.g., local area network, wide area network, or the -internet). - -The DoD CAC with DoD-approved PKI is an example of multifactor + desc "Without the use of multifactor authentication, the ease of access to privileged functions is +greatly increased. + +Multifactor authentication requires using two or more factors to +achieve authentication. + +Factors include: +1) something a user knows (e.g., +password/PIN); +2) something a user has (e.g., cryptographic identification device, +token); and +3) something a user is (e.g., biometric). + +A privileged account is defined as an +information system account with authorizations of a privileged user. + +Network access is +defined as access to an information system by a user (or a process acting on behalf of a user) +communicating through a network (e.g., local area network, wide area network, or the +internet). + +The DoD CAC with DoD-approved PKI is an example of multifactor authentication. " - desc "check", "Verify the Ubuntu operating system has the packages required for multifactor + desc 'check', "Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: $ dpkg -l | grep libpam-pkcs11 -ii +ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards -If the +If the \"libpam-pkcs11\" package is not installed, this is a finding. -Verify the sshd daemon allows +Verify the sshd daemon allows public key authentication with the following command: - -$ grep -r ^Pubkeyauthentication + +$ grep -r ^Pubkeyauthentication /etc/ssh/sshd_config* PubkeyAuthentication yes -If this option is set to \"no\" or is +If this option is set to \"no\" or is missing, this is a finding. If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to use multifactor authentication for network access -to accounts. - -Add or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the -following line: - -auth [success=2 default=ignore] pam_pkcs11.so - -Set the sshd option + desc 'fix', "Configure the Ubuntu operating system to use multifactor authentication for network access +to accounts. + +Add or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the +following line: + +auth [success=2 default=ignore] pam_pkcs11.so + +Set the sshd option \"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000105-GPOS-00052 " - tag satisfies: ["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"] - tag gid: "V-238210 " - tag rid: "SV-238210r858517_rule " - tag stig_id: "UBTU-20-010033 " - tag fix_id: "F-41379r653804_fix " - tag cci: ["CCI-000765","CCI-000766","CCI-000767","CCI-000768"] - tag nist: ["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000105-GPOS-00052 ' + tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055) + tag gid: 'V-238210 ' + tag rid: 'SV-238210r858517_rule ' + tag stig_id: 'UBTU-20-010033 ' + tag fix_id: 'F-41379r653804_fix ' + tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768) + tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] describe package('libpam-pkcs11') do it { should be_installed } @@ -78,4 +76,4 @@ describe sshd_config do its('PubkeyAuthentication') { should cmp 'yes' } end -end \ No newline at end of file +end diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index faa3dbc..9217a80 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238211" do - title "The Ubuntu operating system must use strong authenticators in establishing nonlocal +control 'SV-238211' do + title "The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions. " - desc "Nonlocal maintenance and diagnostic activities are those activities conducted by -individuals communicating through a network, either an external network (e.g., the -internet) or an internal network. Local maintenance and diagnostic activities are those -activities carried out by individuals physically present at the information system or -information system component and not communicating across a network connection. -Typically, strong authentication requires authenticators that are resistant to replay -attacks and employ multifactor authentication. Strong authenticators include, for -example, PKI where certificates are stored on a token protected by a password, passphrase, or + desc "Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. +Typically, strong authentication requires authenticators that are resistant to replay +attacks and employ multifactor authentication. Strong authenticators include, for +example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. " - desc "check", "Verify the Ubuntu operating system is configured to use strong authenticators in the + desc 'check', "Verify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. -Verify that \"UsePAM\" +Verify that \"UsePAM\" is set to \"yes\" in \"/etc/ssh/sshd_config: -$ grep -r ^UsePAM +$ grep -r ^UsePAM /etc/ssh/sshd_config* UsePAM yes If \"UsePAM\" is not set to \"yes\", this is a finding. -If +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to use strong authentication when establishing -nonlocal maintenance and diagnostic sessions. - -Add or modify the following line to -/etc/ssh/sshd_config: - + desc 'fix', "Configure the Ubuntu operating system to use strong authentication when establishing +nonlocal maintenance and diagnostic sessions. + +Add or modify the following line to +/etc/ssh/sshd_config: + UsePAM yes " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000125-GPOS-00065 " - tag gid: "V-238211 " - tag rid: "SV-238211r858519_rule " - tag stig_id: "UBTU-20-010035 " - tag fix_id: "F-41380r653807_fix " - tag cci: ["CCI-000877"] - tag nist: ["MA-4 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000125-GPOS-00065 ' + tag gid: 'V-238211 ' + tag rid: 'SV-238211r858519_rule ' + tag stig_id: 'UBTU-20-010035 ' + tag fix_id: 'F-41380r653807_fix ' + tag cci: ['CCI-000877'] + tag nist: ['MA-4 c'] describe sshd_config do its('UsePAM') { should cmp 'yes' } end -end \ No newline at end of file +end diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index 10d3135..62d35dc 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -1,67 +1,65 @@ -# encoding: UTF-8 - -control "SV-238212" do - title "The Ubuntu operating system must immediately terminate all network connections associated +control 'SV-238212' do + title "The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity. " - desc "Automatic session termination addresses the termination of user-initiated logical -sessions in contrast to the termination of network connections that are associated with -communications sessions (i.e., network disconnect). A logical session (for local, -network, and remote access) is initiated whenever a user (or process acting on behalf of a -user) accesses an organizational information system. Such user sessions can be terminated -(and thus terminate user access) without terminating network sessions. - -Session -termination terminates all processes associated with a user's logical session except those -processes that are specifically created by the user (i.e., session owner) to continue after -the session is terminated. - -Conditions or trigger events requiring automatic session -termination can include, for example, organization-defined periods of user inactivity, -targeted responses to certain types of incidents, and time-of-day restrictions on -information system use. - -This capability is typically reserved for specific Ubuntu -operating system functionality where the system owner, data owner, or organization + desc "Automatic session termination addresses the termination of user-initiated logical +sessions in contrast to the termination of network connections that are associated with +communications sessions (i.e., network disconnect). A logical session (for local, +network, and remote access) is initiated whenever a user (or process acting on behalf of a +user) accesses an organizational information system. Such user sessions can be terminated +(and thus terminate user access) without terminating network sessions. + +Session +termination terminates all processes associated with a user's logical session except those +processes that are specifically created by the user (i.e., session owner) to continue after +the session is terminated. + +Conditions or trigger events requiring automatic session +termination can include, for example, organization-defined periods of user inactivity, +targeted responses to certain types of incidents, and time-of-day restrictions on +information system use. + +This capability is typically reserved for specific Ubuntu +operating system functionality where the system owner, data owner, or organization requires additional assurance. " - desc "check", "Verify that all network connections associated with SSH traffic automatically terminate -after a period of inactivity. + desc 'check', "Verify that all network connections associated with SSH traffic automatically terminate +after a period of inactivity. -Verify the \"ClientAliveCountMax\" variable is set in the +Verify the \"ClientAliveCountMax\" variable is set in the \"/etc/ssh/sshd_config\" file by performing the following command: -$ sudo grep -ir +$ sudo grep -ir clientalivecountmax /etc/ssh/sshd_config* ClientAliveCountMax 1 -If +If \"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding. -If +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions -after a period of inactivity. - -Modify or append the following line in the -\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1: - + desc 'fix', "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions +after a period of inactivity. + +Modify or append the following line in the +\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1: + + +ClientAliveCountMax 1 + +Restart the SSH daemon for the changes to take effect: -ClientAliveCountMax 1 - -Restart the SSH daemon for the changes to take effect: - -$ sudo +$ sudo systemctl restart sshd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000126-GPOS-00066 " - tag gid: "V-238212 " - tag rid: "SV-238212r858521_rule " - tag stig_id: "UBTU-20-010036 " - tag fix_id: "F-41381r653810_fix " - tag cci: ["CCI-000879"] - tag nist: ["MA-4 e"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000126-GPOS-00066 ' + tag gid: 'V-238212 ' + tag rid: 'SV-238212r858521_rule ' + tag stig_id: 'UBTU-20-010036 ' + tag fix_id: 'F-41381r653810_fix ' + tag cci: ['CCI-000879'] + tag nist: ['MA-4 e'] describe sshd_config do its('ClientAliveCountMax') { should cmp 1 } end -end \ No newline at end of file +end diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index 94b859a..4186b72 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 - -control "SV-238213" do - title "The Ubuntu operating system must immediately terminate all network connections associated +control 'SV-238213' do + title "The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity. " - desc "Terminating an idle session within a short time period reduces the window of opportunity for -unauthorized personnel to take control of a management session enabled on the console or -console port that has been left unattended. In addition, quickly terminating an idle session -will also free up resources committed by the managed network element. - -Terminating network -connections associated with communications sessions includes, for example, -de-allocating associated TCP/IP address/port pairs at the operating system level, and -de-allocating networking assignments at the application level if multiple application -sessions are using a single operating system-level network connection. This does not mean -that the operating system terminates all sessions or network access; it only ends the + desc "Terminating an idle session within a short time period reduces the window of opportunity for +unauthorized personnel to take control of a management session enabled on the console or +console port that has been left unattended. In addition, quickly terminating an idle session +will also free up resources committed by the managed network element. + +Terminating network +connections associated with communications sessions includes, for example, +de-allocating associated TCP/IP address/port pairs at the operating system level, and +de-allocating networking assignments at the application level if multiple application +sessions are using a single operating system-level network connection. This does not mean +that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. " - desc "check", "Verify that all network connections associated with SSH traffic are automatically + desc 'check', "Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. -Verify the -\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following +Verify the +\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following command: $ sudo grep -ir clientalive /etc/ssh/sshd_config* -ClientAliveInterval +ClientAliveInterval 600 -If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in +If \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in \"/etc/ssh/sshd_config\", or is commented out, this is a finding. -If conflicting results are +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to automatically terminate all network connections -associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. - - -Modify or append the following line in the \"/etc/ssh/sshd_config\" file replacing -\"[Interval]\" with a value of \"600\" or less: - -ClientAliveInterval 600 - -Restart the SSH -daemon for the changes to take effect: - + desc 'fix', "Configure the Ubuntu operating system to automatically terminate all network connections +associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. + + +Modify or append the following line in the \"/etc/ssh/sshd_config\" file replacing +\"[Interval]\" with a value of \"600\" or less: + +ClientAliveInterval 600 + +Restart the SSH +daemon for the changes to take effect: + $ sudo systemctl restart sshd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000163-GPOS-00072 " - tag gid: "V-238213 " - tag rid: "SV-238213r858523_rule " - tag stig_id: "UBTU-20-010037 " - tag fix_id: "F-41382r653813_fix " - tag cci: ["CCI-001133"] - tag nist: ["SC-10"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000163-GPOS-00072 ' + tag gid: 'V-238213 ' + tag rid: 'SV-238213r858523_rule ' + tag stig_id: 'UBTU-20-010037 ' + tag fix_id: 'F-41382r653813_fix ' + tag cci: ['CCI-001133'] + tag nist: ['SC-10'] describe sshd_config do its('ClientAliveInterval') { should cmp 600 } end -end \ No newline at end of file +end diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index af90f18..98f5766 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -1,163 +1,161 @@ -# encoding: UTF-8 - -control "SV-238214" do - title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent +control 'SV-238214' do + title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system. " - desc "Display of a standardized and approved use notification before granting access to the -publicly accessible operating system ensures privacy and security notification verbiage -used is consistent with applicable federal laws, Executive Orders, directives, policies, -regulations, standards, and guidance. - -System use notifications are required only for -access via logon interfaces with human users and are not required when such human interfaces -do not exist. - -The banner must be formatted in accordance with applicable DoD policy. Use the -following verbiage for operating systems that can accommodate banners of 1300 characters: - - -\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for -USG-authorized use only. - -By using this IS (which includes any device attached to this IS), -you consent to the following conditions: - --The USG routinely intercepts and monitors -communications on this IS for purposes including, but not limited to, penetration testing, -COMSEC monitoring, network operations and defense, personnel misconduct (PM), law -enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may -inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS -are not private, are subject to routine monitoring, interception, and search, and may be -disclosed or used for any USG-authorized purpose. - --This IS includes security measures -(e.g., authentication and access controls) to protect USG interests--not for your personal -benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent -to PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services by -attorneys, psychotherapists, or clergy, and their assistants. Such communications and -work product are private and confidential. See User Agreement for details.\" - -Use the -following verbiage for operating systems that have severe limitations on the number of -characters that can be displayed in the banner: - -\"I've read & consent to terms in IS user + desc "Display of a standardized and approved use notification before granting access to the +publicly accessible operating system ensures privacy and security notification verbiage +used is consistent with applicable federal laws, Executive Orders, directives, policies, +regulations, standards, and guidance. + +System use notifications are required only for +access via logon interfaces with human users and are not required when such human interfaces +do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the +following verbiage for operating systems that can accommodate banners of 1300 characters: + + +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Use the +following verbiage for operating systems that have severe limitations on the number of +characters that can be displayed in the banner: + +\"I've read & consent to terms in IS user agreem't.\" " - desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent -Banner before granting access to the Ubuntu operating system via an SSH logon with the -following command: - -$ grep -ir banner /etc/ssh/sshd_config* - + desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent +Banner before granting access to the Ubuntu operating system via an SSH logon with the +following command: + +$ grep -ir banner /etc/ssh/sshd_config* + /etc/ssh/sshd_config:Banner /etc/issue.net - -The command will return the banner option -along with the name of the file that contains the SSH banner. If the line is commented out, this + +The command will return the banner option +along with the name of the file that contains the SSH banner. If the line is commented out, this is a finding. If conflicting results are returned, this is a finding. - -Verify the -specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: - - -$ cat /etc/issue.net - -\"You are accessing a U.S. Government (USG) Information System (IS) -that is provided for USG-authorized use only. - -By using this IS (which includes any device -attached to this IS), you consent to the following conditions: - --The USG routinely -intercepts and monitors communications on this IS for purposes including, but not limited -to, penetration testing, COMSEC monitoring, network operations and defense, personnel -misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, -or data stored on, this IS are not private, are subject to routine monitoring, interception, -and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes -security measures (e.g., authentication and access controls) to protect USG -interests--not for your personal benefit or privacy. - --Notwithstanding the above, using -this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of -the content of privileged communications, or work product, related to personal -representation or services by attorneys, psychotherapists, or clergy, and their -assistants. Such communications and work product are private and confidential. See User -Agreement for details.\" - -If the banner text does not match the Standard Mandatory DoD Notice + +Verify the +specified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly: + + +$ cat /etc/issue.net + +\"You are accessing a U.S. Government (USG) Information System (IS) +that is provided for USG-authorized use only. + +By using this IS (which includes any device +attached to this IS), you consent to the following conditions: + +-The USG routinely +intercepts and monitors communications on this IS for purposes including, but not limited +to, penetration testing, COMSEC monitoring, network operations and defense, personnel +misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, +or data stored on, this IS are not private, are subject to routine monitoring, interception, +and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes +security measures (e.g., authentication and access controls) to protect USG +interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using +this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of +the content of privileged communications, or work product, related to personal +representation or services by attorneys, psychotherapists, or clergy, and their +assistants. Such communications and work product are private and confidential. See User +Agreement for details.\" + +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. " - desc "fix", "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: - - -$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config -$ sudo sed -i '$aBanner /etc/issue.net' -/etc/ssh/sshd_config - -Either create the file containing the banner or replace the text in -the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: - - -\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for -USG-authorized use only. - -By using this IS (which includes any device attached to this IS), -you consent to the following conditions: - --The USG routinely intercepts and monitors -communications on this IS for purposes including, but not limited to, penetration testing, -COMSEC monitoring, network operations and defense, personnel misconduct (PM), law -enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may -inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS -are not private, are subject to routine monitoring, interception, and search, and may be -disclosed or used for any USG-authorized purpose. - --This IS includes security measures -(e.g., authentication and access controls) to protect USG interests--not for your personal -benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent -to PM, LE or CI investigative searching or monitoring of the content of privileged -communications, or work product, related to personal representation or services by -attorneys, psychotherapists, or clergy, and their assistants. Such communications and -work product are private and confidential. See User Agreement for details.\" - -Restart the -SSH daemon for the changes to take effect and then signal the SSH server to reload the -configuration file: - + desc 'fix', "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file: + + +$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config +$ sudo sed -i '$aBanner /etc/issue.net' +/etc/ssh/sshd_config + +Either create the file containing the banner or replace the text in +the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: + + +\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for +USG-authorized use only. + +By using this IS (which includes any device attached to this IS), +you consent to the following conditions: + +-The USG routinely intercepts and monitors +communications on this IS for purposes including, but not limited to, penetration testing, +COMSEC monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may +inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS +are not private, are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. + +-This IS includes security measures +(e.g., authentication and access controls) to protect USG interests--not for your personal +benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services by +attorneys, psychotherapists, or clergy, and their assistants. Such communications and +work product are private and confidential. See User Agreement for details.\" + +Restart the +SSH daemon for the changes to take effect and then signal the SSH server to reload the +configuration file: + $ sudo systemctl -s SIGHUP kill sshd " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000228-GPOS-00088 " - tag satisfies: ["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"] - tag gid: "V-238214 " - tag rid: "SV-238214r858525_rule " - tag stig_id: "UBTU-20-010038 " - tag fix_id: "F-41383r653816_fix " - tag cci: ["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"] - tag nist: ["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000228-GPOS-00088 ' + tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006) + tag gid: 'V-238214 ' + tag rid: 'SV-238214r858525_rule ' + tag stig_id: 'UBTU-20-010038 ' + tag fix_id: 'F-41383r653816_fix ' + tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388) + tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3'] banner_text = input('banner_text') banner_files = [sshd_config.banner].flatten @@ -189,4 +187,4 @@ it { should cmp clean_banner } end end -end \ No newline at end of file +end diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index c52ee5d..0ce0297 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -1,90 +1,88 @@ -# encoding: UTF-8 - -control "SV-238215" do - title "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of +control 'SV-238215' do + title "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information. " - desc "Without protection of the transmitted information, confidentiality and integrity may be -compromised because unprotected communications can be intercepted and either read or -altered. - -This requirement applies to both internal and external networks and all types of -information system components from which information can be transmitted (e.g., servers, -mobile devices, notebook computers, printers, copiers, scanners, and facsimile -machines). Communication paths outside the physical protection of a controlled boundary -are exposed to the possibility of interception and modification. - -Protecting the -confidentiality and integrity of organizational information can be accomplished by -physical means (e.g., employing physical distribution systems) or by logical means (e.g., -employing cryptographic techniques). If physical means of protection are employed, then + desc "Without protection of the transmitted information, confidentiality and integrity may be +compromised because unprotected communications can be intercepted and either read or +altered. + +This requirement applies to both internal and external networks and all types of +information system components from which information can be transmitted (e.g., servers, +mobile devices, notebook computers, printers, copiers, scanners, and facsimile +machines). Communication paths outside the physical protection of a controlled boundary +are exposed to the possibility of interception and modification. + +Protecting the +confidentiality and integrity of organizational information can be accomplished by +physical means (e.g., employing physical distribution systems) or by logical means (e.g., +employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. " - desc "check", "Verify the SSH package is installed with the following command: - -$ sudo dpkg -l | grep openssh - -ii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access -to remote machines -ii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server, -for secure access from remote machines -ii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64 -secure shell (SSH) sftp server module, for SFTP access from remote machines - -If the -\"openssh\" server package is not installed, this is a finding. - -Verify the \"sshd.service\" is -loaded and active with the following command: - -$ sudo systemctl status sshd.service | egrep --i \"(active|loaded)\" - Loaded: loaded (/lib/systemd/system/ssh.service; enabled; -vendor preset: enabled) - Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 -weeks 3 days ago - + desc 'check', "Verify the SSH package is installed with the following command: + +$ sudo dpkg -l | grep openssh + +ii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access +to remote machines +ii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server, +for secure access from remote machines +ii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64 +secure shell (SSH) sftp server module, for SFTP access from remote machines + +If the +\"openssh\" server package is not installed, this is a finding. + +Verify the \"sshd.service\" is +loaded and active with the following command: + +$ sudo systemctl status sshd.service | egrep +-i \"(active|loaded)\" + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; +vendor preset: enabled) + Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 +weeks 3 days ago + If \"sshd.service\" is not active or loaded, this is a finding. " - desc "fix", "Install the \"ssh\" meta-package on the system with the following command: - -$ sudo apt install -ssh - -Enable the \"ssh\" service to start automatically on reboot with the following command: - - -$ sudo systemctl enable sshd.service - -ensure the \"ssh\" service is running - -$ sudo + desc 'fix', "Install the \"ssh\" meta-package on the system with the following command: + +$ sudo apt install +ssh + +Enable the \"ssh\" service to start automatically on reboot with the following command: + + +$ sudo systemctl enable sshd.service + +ensure the \"ssh\" service is running + +$ sudo systemctl start sshd.service " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000423-GPOS-00187 " - tag satisfies: ["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"] - tag gid: "V-238215 " - tag rid: "SV-238215r853406_rule " - tag stig_id: "UBTU-20-010042 " - tag fix_id: "F-41384r653819_fix " - tag cci: ["CCI-002418","CCI-002420","CCI-002422"] - tag nist: ["SC-8","SC-8 (2)"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000423-GPOS-00187 ' + tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190) + tag gid: 'V-238215 ' + tag rid: 'SV-238215r853406_rule ' + tag stig_id: 'UBTU-20-010042 ' + tag fix_id: 'F-41384r653819_fix ' + tag cci: %w(CCI-002418 CCI-002420 CCI-002422) + tag nist: ['SC-8', 'SC-8 (2)'] describe package('openssh-client') do it { should be_installed } end - + describe package('openssh-server') do it { should be_installed } end - + describe package('openssh-sftp-server') do it { should be_installed } end - + describe service('sshd') do it { should be_enabled } it { should be_installed } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 4cae018..3490a72 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -1,74 +1,72 @@ -# encoding: UTF-8 - -control "SV-238216" do - title "The Ubuntu operating system must configure the SSH daemon to use Message Authentication -Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the -unauthorized disclosure of information and/or detect changes to information during +control 'SV-238216' do + title "The Ubuntu operating system must configure the SSH daemon to use Message Authentication +Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the +unauthorized disclosure of information and/or detect changes to information during transmission. " - desc "Without cryptographic integrity protections, information can be altered by unauthorized -users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information -systems by an authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for example, -dial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are -those activities conducted by individuals communicating through a network, either an -external network (e.g., the internet) or an internal network. - -Local maintenance and -diagnostic activities are those activities carried out by individuals physically present -at the information system or information system component and not communicating across a -network connection. - -Encrypting information for transmission protects information from -unauthorized disclosure and modification. Cryptographic mechanisms implemented to -protect information integrity include, for example, cryptographic hash functions which -have common application in digital signatures, checksums, and message authentication + desc "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. + +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication codes. " - desc "check", "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers + desc 'check', "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: $ grep -ir macs /etc/ssh/sshd_config* - -MACs + +MACs hmac-sha2-512,hmac-sha2-256 -If any ciphers other than \"hmac-sha2-512\" or -\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is +If any ciphers other than \"hmac-sha2-512\" or +\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is commented out, this is a finding. If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS -140-2 approved ciphers. - -Add the following line (or modify the line to have the required -value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a -different location if using a version of SSH that is provided by a third-party vendor): - -MACs -hmac-sha2-512,hmac-sha2-256 - -Restart the SSH daemon for the changes to take effect: - -$ + desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS +140-2 approved ciphers. + +Add the following line (or modify the line to have the required +value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a +different location if using a version of SSH that is provided by a third-party vendor): + +MACs +hmac-sha2-512,hmac-sha2-256 + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl reload sshd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000424-GPOS-00188 " - tag satisfies: ["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"] - tag gid: "V-238216 " - tag rid: "SV-238216r860820_rule " - tag stig_id: "UBTU-20-010043 " - tag fix_id: "F-41385r653822_fix " - tag cci: ["CCI-001453","CCI-002421","CCI-002890"] - tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000424-GPOS-00188 ' + tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173) + tag gid: 'V-238216 ' + tag rid: 'SV-238216r860820_rule ' + tag stig_id: 'UBTU-20-010043 ' + tag fix_id: 'F-41385r653822_fix ' + tag cci: %w(CCI-001453 CCI-002421 CCI-002890) + tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] @macs_array = inspec.sshd_config.params['macs'] @macs_array = @macs_array.first.split(',') unless @macs_array.nil? describe @macs_array do - it { should be_in %w[hmac-sha2-256 hmac-sha2-512] } + it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } end -end \ No newline at end of file +end diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index 324fec4..d135ffc 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -1,80 +1,78 @@ -# encoding: UTF-8 - -control "SV-238217" do - title "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers -to prevent the unauthorized disclosure of information and/or detect changes to information +control 'SV-238217' do + title "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers +to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. " - desc "Without cryptographic integrity protections, information can be altered by unauthorized -users without detection. - -Remote access (e.g., RDP) is access to DoD nonpublic information -systems by an authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for example, -dial-up, broadband, and wireless. - -Nonlocal maintenance and diagnostic activities are -those activities conducted by individuals communicating through a network, either an -external network (e.g., the internet) or an internal network. - -Local maintenance and -diagnostic activities are those activities carried out by individuals physically present -at the information system or information system component and not communicating across a -network connection. - -Encrypting information for transmission protects information from -unauthorized disclosure and modification. Cryptographic mechanisms implemented to -protect information integrity include, for example, cryptographic hash functions which -have common application in digital signatures, checksums, and message authentication -codes. - -By specifying a cipher list with the order of ciphers being in a \"strongest to -weakest\" orientation, the system will automatically attempt to use the strongest cipher for + desc "Without cryptographic integrity protections, information can be altered by unauthorized +users without detection. + +Remote access (e.g., RDP) is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +Nonlocal maintenance and diagnostic activities are +those activities conducted by individuals communicating through a network, either an +external network (e.g., the internet) or an internal network. + +Local maintenance and +diagnostic activities are those activities carried out by individuals physically present +at the information system or information system component and not communicating across a +network connection. + +Encrypting information for transmission protects information from +unauthorized disclosure and modification. Cryptographic mechanisms implemented to +protect information integrity include, for example, cryptographic hash functions which +have common application in digital signatures, checksums, and message authentication +codes. + +By specifying a cipher list with the order of ciphers being in a \"strongest to +weakest\" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. " - desc "check", "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running + desc 'check', "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: $ grep -r 'Ciphers' /etc/ssh/sshd_config* - -Ciphers -aes256-ctr,aes192-ctr,aes128-ctr - -If any ciphers other than \"aes256-ctr\", -\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the + +Ciphers +aes256-ctr,aes192-ctr,aes128-ctr + +If any ciphers other than \"aes256-ctr\", +\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the \"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding. -If +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to only implement -FIPS-approved algorithms. - -Add the following line (or modify the line to have the required -value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a -different location if using a version of SSH that is provided by a third-party vendor): - - -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -Restart the SSH daemon for the changes to -take effect: - + desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to only implement +FIPS-approved algorithms. + +Add the following line (or modify the line to have the required +value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a +different location if using a version of SSH that is provided by a third-party vendor): + + +Ciphers aes256-ctr,aes192-ctr,aes128-ctr + +Restart the SSH daemon for the changes to +take effect: + $ sudo systemctl restart sshd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000424-GPOS-00188 " - tag satisfies: ["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"] - tag gid: "V-238217 " - tag rid: "SV-238217r860821_rule " - tag stig_id: "UBTU-20-010044 " - tag fix_id: "F-41386r653825_fix " - tag cci: ["CCI-000068","CCI-002421","CCI-003123"] - tag nist: ["AC-17 (2)","SC-8 (1)","MA-4 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000424-GPOS-00188 ' + tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174) + tag gid: 'V-238217 ' + tag rid: 'SV-238217r860821_rule ' + tag stig_id: 'UBTU-20-010044 ' + tag fix_id: 'F-41386r653825_fix ' + tag cci: %w(CCI-000068 CCI-002421 CCI-003123) + tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] @ciphers_array = inspec.sshd_config.params['ciphers'] @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? describe @ciphers_array do - it { should be_in %w[ aes256-ctr aes192-ctr aes128-ctr ] } + it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) } end end diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index 405956e..daead49 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238218" do - title "The Ubuntu operating system must not allow unattended or automatic login via SSH. " - desc "Failure to restrict system access to authenticated users negatively impacts Ubuntu +control 'SV-238218' do + title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. ' + desc "Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security. " - desc "check", "Verify that unattended or automatic login via SSH is disabled with the following command: + desc 'check', "Verify that unattended or automatic login via SSH is disabled with the following command: -$ -egrep -r '(Permit(.*?)(Passwords|Environment))' +$ +egrep -r '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config PermitEmptyPasswords no PermitUserEnvironment no -If -\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are +If +\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are missing completely, or are commented out, this is a finding. -If conflicting results are +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or -automatic login to the system. - -Add or edit the following lines in the -\"/etc/ssh/sshd_config\" file: - -PermitEmptyPasswords no -PermitUserEnvironment no - - -Restart the SSH daemon for the changes to take effect: - -$ sudo systemctl restart + desc 'fix', "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or +automatic login to the system. + +Add or edit the following lines in the +\"/etc/ssh/sshd_config\" file: + +PermitEmptyPasswords no +PermitUserEnvironment no + + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl restart sshd.service " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00229 " - tag gid: "V-238218 " - tag rid: "SV-238218r858531_rule " - tag stig_id: "UBTU-20-010047 " - tag fix_id: "F-41387r653828_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00229 ' + tag gid: 'V-238218 ' + tag rid: 'SV-238218r858531_rule ' + tag stig_id: 'UBTU-20-010047 ' + tag fix_id: 'F-41387r653828_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe sshd_config do its('PermitEmptyPasswords') { should cmp 'no' } its('PermitUserEnvironment') { should cmp 'no' } end -end \ No newline at end of file +end diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index 83ea90d..e3ac804 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238219" do - title "The Ubuntu operating system must be configured so that remote X connections are disabled, +control 'SV-238219' do + title "The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. " - desc "The security risk of using X11 forwarding is that the client's X11 display server may be -exposed to attack when the SSH client requests forwarding. A System Administrator may have a -stance in which they want to protect clients that may expose themselves to attack by -unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. - -X11 -forwarding should be enabled with caution. Users with the ability to bypass file permissions -on the remote host (for the user's X11 authorization database) can access the local X11 -display through the forwarded connection. An attacker may then be able to perform activities -such as keystroke monitoring if the ForwardX11Trusted option is also enabled. - -If X11 -services are not required for the system's intended function, they should be disabled or + desc "The security risk of using X11 forwarding is that the client's X11 display server may be +exposed to attack when the SSH client requests forwarding. A System Administrator may have a +stance in which they want to protect clients that may expose themselves to attack by +unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. + +X11 +forwarding should be enabled with caution. Users with the ability to bypass file permissions +on the remote host (for the user's X11 authorization database) can access the local X11 +display through the forwarded connection. An attacker may then be able to perform activities +such as keystroke monitoring if the ForwardX11Trusted option is also enabled. + +If X11 +services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs. " - desc "check", "Verify that X11Forwarding is disabled with the following command: - -$ grep -ir -x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" - -X11Forwarding no - -If the -\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System + desc 'check', "Verify that X11Forwarding is disabled with the following command: + +$ grep -ir +x11forwarding /etc/ssh/sshd_config* | grep -v \"^#\" + +X11Forwarding no + +If the +\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding. -If +If conflicting results are returned, this is a finding. " - desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" -keyword and set its value to \"no\" (this file may be named differently or be in a different -location if using a version of SSH that is provided by a third-party vendor): - -X11Forwarding -no - -Restart the SSH daemon for the changes to take effect: - -$ sudo systemctl restart + desc 'fix', "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" +keyword and set its value to \"no\" (this file may be named differently or be in a different +location if using a version of SSH that is provided by a third-party vendor): + +X11Forwarding +no + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl restart sshd.service " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-238219 " - tag rid: "SV-238219r858533_rule " - tag stig_id: "UBTU-20-010048 " - tag fix_id: "F-41388r653831_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-238219 ' + tag rid: 'SV-238219r858533_rule ' + tag stig_id: 'UBTU-20-010048 ' + tag fix_id: 'F-41388r653831_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe sshd_config do its('X11Forwarding') { should cmp 'no' } end -end \ No newline at end of file +end diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index 62088e1..da865dd 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -1,51 +1,49 @@ -# encoding: UTF-8 - -control "SV-238220" do - title "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy +control 'SV-238220' do + title "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. " - desc "When X11 forwarding is enabled, there may be additional exposure to the server and client -displays if the sshd proxy display is configured to listen on the wildcard address. By -default, sshd binds the forwarding server to the loopback address and sets the hostname part -of the DISPLAY environment variable to localhost. This prevents remote hosts from + desc "When X11 forwarding is enabled, there may be additional exposure to the server and client +displays if the sshd proxy display is configured to listen on the wildcard address. By +default, sshd binds the forwarding server to the loopback address and sets the hostname part +of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. " - desc "check", "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. + desc 'check', "Verify the SSH daemon prevents remote hosts from connecting to the proxy display. -Check the +Check the SSH X11UseLocalhost setting with the following command: -$ sudo grep -ir x11uselocalhost +$ sudo grep -ir x11uselocalhost /etc/ssh/sshd_config* X11UseLocalhost yes -If the \"X11UseLocalhost\" keyword is set to +If the \"X11UseLocalhost\" keyword is set to \"no\", is missing, or is commented out, this is a finding. -If conflicting results are +If conflicting results are returned, this is a finding. " - desc "fix", "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. - -Edit -the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" -keyword and set its value to \"yes\" (this file may be named differently or be in a different -location if using a version of SSH that is provided by a third-party vendor): - - -X11UseLocalhost yes - -Restart the SSH daemon for the changes to take effect: - -$ sudo + desc 'fix', "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. + +Edit +the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\" +keyword and set its value to \"yes\" (this file may be named differently or be in a different +location if using a version of SSH that is provided by a third-party vendor): + + +X11UseLocalhost yes + +Restart the SSH daemon for the changes to take effect: + +$ sudo systemctl restart sshd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-238220 " - tag rid: "SV-238220r858535_rule " - tag stig_id: "UBTU-20-010049 " - tag fix_id: "F-41389r653834_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-238220 ' + tag rid: 'SV-238220r858535_rule ' + tag stig_id: 'UBTU-20-010049 ' + tag fix_id: 'F-41389r653834_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe sshd_config do its('X11UseLocalhost') { should cmp 'yes' } end -end \ No newline at end of file +end diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index e50a589..3731da0 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -1,41 +1,39 @@ -# encoding: UTF-8 - -control "SV-238221" do - title "The Ubuntu operating system must enforce password complexity by requiring that at least one +control 'SV-238221' do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. " - desc "Use of a complex password helps to increase the time and resources required to compromise the -password. Password complexity, or strength, is a measure of the effectiveness of a password -in resisting attempts at guessing and brute-force attacks. - -Password complexity is one -factor of several that determines how long it takes to crack a password. The more complex the -password, the greater the number of possible combinations that need to be tested before the + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the password is compromised. " - desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least -one upper-case character be used. - -Determine if the field \"ucredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - -$ grep -i \"ucredit\" -/etc/security/pwquality.conf -ucredit=-1 - -If the \"ucredit\" parameter is greater than + desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one upper-case character be used. + +Determine if the field \"ucredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"ucredit\" +/etc/security/pwquality.conf +ucredit=-1 + +If the \"ucredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " - desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter: + desc 'fix', "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter: + - ucredit=-1 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000069-GPOS-00037 " - tag gid: "V-238221 " - tag rid: "SV-238221r653838_rule " - tag stig_id: "UBTU-20-010050 " - tag fix_id: "F-41390r653837_fix " - tag cci: ["CCI-000192"] - tag nist: ["IA-5 (1) (a)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000069-GPOS-00037 ' + tag gid: 'V-238221 ' + tag rid: 'SV-238221r653838_rule ' + tag stig_id: 'UBTU-20-010050 ' + tag fix_id: 'F-41390r653837_fix ' + tag cci: ['CCI-000192'] + tag nist: ['IA-5 (1) (a)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -45,9 +43,9 @@ its('ucredit') { should cmp '-1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index 4b35cbf..7d5229e 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -1,41 +1,39 @@ -# encoding: UTF-8 - -control "SV-238222" do - title "The Ubuntu operating system must enforce password complexity by requiring that at least one +control 'SV-238222' do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. " - desc "Use of a complex password helps to increase the time and resources required to compromise the -password. Password complexity, or strength, is a measure of the effectiveness of a password -in resisting attempts at guessing and brute-force attacks. - -Password complexity is one -factor of several that determines how long it takes to crack a password. The more complex the -password, the greater the number of possible combinations that need to be tested before the + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the password is compromised. " - desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least -one lower-case character be used. - -Determine if the field \"lcredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - -$ grep -i \"lcredit\" -/etc/security/pwquality.conf -lcredit=-1 - -If the \"lcredit\" parameter is greater than + desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one lower-case character be used. + +Determine if the field \"lcredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"lcredit\" +/etc/security/pwquality.conf +lcredit=-1 + +If the \"lcredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " - desc "fix", "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter: + desc 'fix', "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter: + - lcredit=-1 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000070-GPOS-00038 " - tag gid: "V-238222 " - tag rid: "SV-238222r653841_rule " - tag stig_id: "UBTU-20-010051 " - tag fix_id: "F-41391r653840_fix " - tag cci: ["CCI-000193"] - tag nist: ["IA-5 (1) (a)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000070-GPOS-00038 ' + tag gid: 'V-238222 ' + tag rid: 'SV-238222r653841_rule ' + tag stig_id: 'UBTU-20-010051 ' + tag fix_id: 'F-41391r653840_fix ' + tag cci: ['CCI-000193'] + tag nist: ['IA-5 (1) (a)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -45,9 +43,9 @@ its('lcredit') { should cmp '-1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index 65fe427..17acbb4 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -1,44 +1,42 @@ -# encoding: UTF-8 - -control "SV-238223" do - title "The Ubuntu operating system must enforce password complexity by requiring that at least one +control 'SV-238223' do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. " - desc "Use of a complex password helps to increase the time and resources required to compromise the -password. Password complexity, or strength, is a measure of the effectiveness of a password -in resisting attempts at guessing and brute-force attacks. - -Password complexity is one -factor of several that determines how long it takes to crack a password. The more complex the -password, the greater the number of possible combinations that need to be tested before the + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor of several that determines how long it takes to crack a password. The more complex the +password, the greater the number of possible combinations that need to be tested before the password is compromised. " - desc "check", "Verify the Ubuntu operating system enforces password complexity by requiring that at least -one numeric character be used. - -Determine if the field \"dcredit\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - -$ grep -i \"dcredit\" -/etc/security/pwquality.conf -dcredit=-1 - -If the \"dcredit\" parameter is greater than + desc 'check', "Verify the Ubuntu operating system enforces password complexity by requiring that at least +one numeric character be used. + +Determine if the field \"dcredit\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"dcredit\" +/etc/security/pwquality.conf +dcredit=-1 + +If the \"dcredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at -least one numeric character be used. - -Add or update the \"/etc/security/pwquality.conf\" -file to contain the \"dcredit\" parameter: - + desc 'fix', "Configure the Ubuntu operating system to enforce password complexity by requiring that at +least one numeric character be used. + +Add or update the \"/etc/security/pwquality.conf\" +file to contain the \"dcredit\" parameter: + dcredit=-1 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000071-GPOS-00039 " - tag gid: "V-238223 " - tag rid: "SV-238223r653844_rule " - tag stig_id: "UBTU-20-010052 " - tag fix_id: "F-41392r653843_fix " - tag cci: ["CCI-000194"] - tag nist: ["IA-5 (1) (a)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000071-GPOS-00039 ' + tag gid: 'V-238223 ' + tag rid: 'SV-238223r653844_rule ' + tag stig_id: 'UBTU-20-010052 ' + tag fix_id: 'F-41392r653843_fix ' + tag cci: ['CCI-000194'] + tag nist: ['IA-5 (1) (a)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -48,9 +46,9 @@ its('dcredit') { should cmp '-1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index e0f9a86..7e07347 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238224" do - title "The Ubuntu operating system must require the change of at least 8 characters when passwords +control 'SV-238224' do + title "The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. " - desc "If the operating system allows the user to consecutively reuse extensive portions of -passwords, this increases the chances of password compromise by increasing the window of -opportunity for attempts at guessing and brute-force attacks. - -The number of changed -characters refers to the number of changes required with respect to the total number of -positions in the current password. In other words, characters may be the same within the two -passwords; however, the positions of the like characters must be different. - -If the -password length is an odd number then number of changed characters must be rounded up. For + desc "If the operating system allows the user to consecutively reuse extensive portions of +passwords, this increases the chances of password compromise by increasing the window of +opportunity for attempts at guessing and brute-force attacks. + +The number of changed +characters refers to the number of changes required with respect to the total number of +positions in the current password. In other words, characters may be the same within the two +passwords; however, the positions of the like characters must be different. + +If the +password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. " - desc "check", "Verify the Ubuntu operating system requires the change of at least eight characters when -passwords are changed. - -Determine if the field \"difok\" is set in the -\"/etc/security/pwquality.conf\" file with the following command: - -$ grep -i \"difok\" -/etc/security/pwquality.conf -difok=8 - -If the \"difok\" parameter is less than \"8\" or is + desc 'check', "Verify the Ubuntu operating system requires the change of at least eight characters when +passwords are changed. + +Determine if the field \"difok\" is set in the +\"/etc/security/pwquality.conf\" file with the following command: + +$ grep -i \"difok\" +/etc/security/pwquality.conf +difok=8 + +If the \"difok\" parameter is less than \"8\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to require the change of at least eight characters when -passwords are changed. - -Add or update the \"/etc/security/pwquality.conf\" file to include -the \"difok=8\" parameter: - + desc 'fix', "Configure the Ubuntu operating system to require the change of at least eight characters when +passwords are changed. + +Add or update the \"/etc/security/pwquality.conf\" file to include +the \"difok=8\" parameter: + difok=8 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000072-GPOS-00040 " - tag gid: "V-238224 " - tag rid: "SV-238224r653847_rule " - tag stig_id: "UBTU-20-010053 " - tag fix_id: "F-41393r653846_fix " - tag cci: ["CCI-000195"] - tag nist: ["IA-5 (1) (b)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000072-GPOS-00040 ' + tag gid: 'V-238224 ' + tag rid: 'SV-238224r653847_rule ' + tag stig_id: 'UBTU-20-010053 ' + tag fix_id: 'F-41393r653846_fix ' + tag cci: ['CCI-000195'] + tag nist: ['IA-5 (1) (b)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -52,9 +50,9 @@ its('difok') { should cmp >= '8' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index 95406f8..cfbe386 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -1,40 +1,38 @@ -# encoding: UTF-8 - -control "SV-238225" do - title "The Ubuntu operating system must enforce a minimum 15-character password length. " - desc "The shorter the password, the lower the number of possible combinations that need to be tested -before the password is compromised. - -Password complexity, or strength, is a measure of the -effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password length is one factor of several that helps to determine strength and how long it takes -to crack a password. Use of more characters in a password helps to exponentially increase the +control 'SV-238225' do + title 'The Ubuntu operating system must enforce a minimum 15-character password length. ' + desc "The shorter the password, the lower the number of possible combinations that need to be tested +before the password is compromised. + +Password complexity, or strength, is a measure of the +effectiveness of a password in resisting attempts at guessing and brute-force attacks. +Password length is one factor of several that helps to determine strength and how long it takes +to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. " - desc "check", "Verify the pwquality configuration file enforces a minimum 15-character password length by + desc 'check', "Verify the pwquality configuration file enforces a minimum 15-character password length by running the following command: -$ grep -i minlen +$ grep -i minlen /etc/security/pwquality.conf minlen=15 -If \"minlen\" parameter value is not \"15\" or +If \"minlen\" parameter value is not \"15\" or higher or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce a minimum 15-character password length. - + desc 'fix', "Configure the Ubuntu operating system to enforce a minimum 15-character password length. + + +Add or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file: -Add or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file: - minlen=15 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000078-GPOS-00046 " - tag gid: "V-238225 " - tag rid: "SV-238225r832942_rule " - tag stig_id: "UBTU-20-010054 " - tag fix_id: "F-41394r653849_fix " - tag cci: ["CCI-000205"] - tag nist: ["IA-5 (1) (a)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000078-GPOS-00046 ' + tag gid: 'V-238225 ' + tag rid: 'SV-238225r832942_rule ' + tag stig_id: 'UBTU-20-010054 ' + tag fix_id: 'F-41394r653849_fix ' + tag cci: ['CCI-000205'] + tag nist: ['IA-5 (1) (a)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -44,9 +42,9 @@ its('minlen') { should cmp >= '15' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index 5922411..e608a9b 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -1,44 +1,42 @@ -# encoding: UTF-8 - -control "SV-238226" do - title "The Ubuntu operating system must enforce password complexity by requiring that at least one +control 'SV-238226' do + title "The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used. " - desc "Use of a complex password helps to increase the time and resources required to compromise the -password. Password complexity or strength is a measure of the effectiveness of a password in -resisting attempts at guessing and brute-force attacks. - -Password complexity is one -factor in determining how long it takes to crack a password. The more complex the password, the -greater the number of possible combinations that need to be tested before the password is -compromised. - -Special characters are those characters that are not alphanumeric. + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity or strength is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. + +Password complexity is one +factor in determining how long it takes to crack a password. The more complex the password, the +greater the number of possible combinations that need to be tested before the password is +compromised. + +Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. " - desc "check", "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the -following command: - -$ grep -i \"ocredit\" /etc/security/pwquality.conf -ocredit=-1 - -If + desc 'check', "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the +following command: + +$ grep -i \"ocredit\" /etc/security/pwquality.conf +ocredit=-1 + +If the \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce password complexity by requiring that at -least one special character be used. - -Add or update the following line in the -\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter: - + desc 'fix', "Configure the Ubuntu operating system to enforce password complexity by requiring that at +least one special character be used. + +Add or update the following line in the +\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter: + ocredit=-1 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000266-GPOS-00101 " - tag gid: "V-238226 " - tag rid: "SV-238226r653853_rule " - tag stig_id: "UBTU-20-010055 " - tag fix_id: "F-41395r653852_fix " - tag cci: ["CCI-001619"] - tag nist: ["IA-5 (1) (a)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000266-GPOS-00101 ' + tag gid: 'V-238226 ' + tag rid: 'SV-238226r653853_rule ' + tag stig_id: 'UBTU-20-010055 ' + tag fix_id: 'F-41395r653852_fix ' + tag cci: ['CCI-001619'] + tag nist: ['IA-5 (1) (a)'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -48,9 +46,9 @@ its('ocredit') { should cmp '-1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index ee374d5..f664e1a 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -1,36 +1,34 @@ -# encoding: UTF-8 - -control "SV-238227" do - title "The Ubuntu operating system must prevent the use of dictionary words for passwords. " - desc "If the Ubuntu operating system allows the user to select passwords based on dictionary words, -then this increases the chances of password compromise by increasing the opportunity for +control 'SV-238227' do + title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. ' + desc "If the Ubuntu operating system allows the user to select passwords based on dictionary words, +then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks. " - desc "check", "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of -dictionary words with the following command: - -$ grep dictcheck -/etc/security/pwquality.conf - -dictcheck=1 - -If the \"dictcheck\" parameter is not set to + desc 'check', "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of +dictionary words with the following command: + +$ grep dictcheck +/etc/security/pwquality.conf + +dictcheck=1 + +If the \"dictcheck\" parameter is not set to \"1\" or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. - + desc 'fix', "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. + + +Add or update the following line in the \"/etc/security/pwquality.conf\" file to include the +\"dictcheck=1\" parameter: -Add or update the following line in the \"/etc/security/pwquality.conf\" file to include the -\"dictcheck=1\" parameter: - dictcheck=1 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000480-GPOS-00225 " - tag gid: "V-238227 " - tag rid: "SV-238227r653856_rule " - tag stig_id: "UBTU-20-010056 " - tag fix_id: "F-41396r653855_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000480-GPOS-00225 ' + tag gid: 'V-238227 ' + tag rid: 'SV-238227r653856_rule ' + tag stig_id: 'UBTU-20-010056 ' + tag fix_id: 'F-41396r653855_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? @@ -40,9 +38,9 @@ its('dictcheck') { should cmp '1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index ac2b7fc..39bd11c 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -1,81 +1,79 @@ -# encoding: UTF-8 - -control "SV-238228" do - title "The Ubuntu operating system must be configured so that when passwords are changed or new +control 'SV-238228' do + title "The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. " - desc "Use of a complex password helps to increase the time and resources required to compromise the -password. Password complexity, or strength, is a measure of the effectiveness of a password -in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex -password construction configuration and has the ability to limit brute-force attacks on the + desc "Use of a complex password helps to increase the time and resources required to compromise the +password. Password complexity, or strength, is a measure of the effectiveness of a password +in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex +password construction configuration and has the ability to limit brute-force attacks on the system. " - desc "check", "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running -the following command: - -$ dpkg -l libpam-pwquality - -ii libpam-pwquality:amd64 1.4.0-2 -amd64 PAM module to check password strength - -If \"libpam-pwquality\" is not installed, this -is a finding. - -Verify that the operating system uses \"pwquality\" to enforce the password -complexity rules. - -Verify the pwquality module is being enforced by the Ubuntu operating -system by running the following command: - -$ grep -i enforcing -/etc/security/pwquality.conf - -enforcing = 1 - -If the value of \"enforcing\" is not \"1\" or the -line is commented out, this is a finding. - -Check for the use of \"pwquality\" with the following -command: - -$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality - - -password requisite pam_pwquality.so retry=3 - -If no output is returned or the line is -commented out, this is a finding. - -If the value of \"retry\" is set to \"0\" or greater than \"3\", + desc 'check', "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running +the following command: + +$ dpkg -l libpam-pwquality + +ii libpam-pwquality:amd64 1.4.0-2 +amd64 PAM module to check password strength + +If \"libpam-pwquality\" is not installed, this +is a finding. + +Verify that the operating system uses \"pwquality\" to enforce the password +complexity rules. + +Verify the pwquality module is being enforced by the Ubuntu operating +system by running the following command: + +$ grep -i enforcing +/etc/security/pwquality.conf + +enforcing = 1 + +If the value of \"enforcing\" is not \"1\" or the +line is commented out, this is a finding. + +Check for the use of \"pwquality\" with the following +command: + +$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality + + +password requisite pam_pwquality.so retry=3 + +If no output is returned or the line is +commented out, this is a finding. + +If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding. " - desc "fix", "Configure the operating system to use \"pwquality\" to enforce password complexity rules. - - -Install the \"pam_pwquality\" package by using the following command: - -$ sudo apt-get -install libpam-pwquality -y - -Add the following line to \"/etc/security/pwquality.conf\" -(or modify the line to have the required value): - -enforcing = 1 - -Add the following line to -\"/etc/pam.d/common-password\" (or modify the line to have the required value): - -password -requisite pam_pwquality.so retry=3 - -Note: The value of \"retry\" should be between \"1\" and + desc 'fix', "Configure the operating system to use \"pwquality\" to enforce password complexity rules. + + +Install the \"pam_pwquality\" package by using the following command: + +$ sudo apt-get +install libpam-pwquality -y + +Add the following line to \"/etc/security/pwquality.conf\" +(or modify the line to have the required value): + +enforcing = 1 + +Add the following line to +\"/etc/pam.d/common-password\" (or modify the line to have the required value): + +password +requisite pam_pwquality.so retry=3 + +Note: The value of \"retry\" should be between \"1\" and \"3\". " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000480-GPOS-00225 " - tag gid: "V-238228 " - tag rid: "SV-238228r653859_rule " - tag stig_id: "UBTU-20-010057 " - tag fix_id: "F-41397r653858_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000480-GPOS-00225 ' + tag gid: 'V-238228 ' + tag rid: 'SV-238228r653859_rule ' + tag stig_id: 'UBTU-20-010057 ' + tag fix_id: 'F-41397r653858_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe package('libpam-pwquality') do it { should be_installed } @@ -88,4 +86,4 @@ describe file('/etc/pam.d/common-password') do its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } end -end \ No newline at end of file +end diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index f57dc48..62f4eb9 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -1,71 +1,69 @@ -# encoding: UTF-8 - -control "SV-238229" do - title "The Ubuntu operating system, for PKI-based authentication, must validate certificates by -constructing a certification path (which includes status information) to an accepted trust +control 'SV-238229' do + title "The Ubuntu operating system, for PKI-based authentication, must validate certificates by +constructing a certification path (which includes status information) to an accepted trust anchor. " - desc "Without path validation, an informed trust decision by the relying party cannot be made when -presented with any certificate not already explicitly trusted. - -A trust anchor is an -authoritative entity represented via a public key and associated data. It is used in the -context of public key infrastructures, X.509 digital certificates, and DNSSEC. - -When -there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can -be, for example, a Certification Authority (CA). A certification path starts with the -subject certificate and proceeds through a number of intermediate certificates up to a -trusted root certificate, typically issued by a trusted CA. - -This requirement verifies -that a certification path to an accepted trust anchor is used for certificate validation and -that the path includes status information. Path validation is necessary for a relying party -to make an informed trust decision when presented with any certificate not already -explicitly trusted. Status information for certification paths includes certificate -revocation lists or online certificate status protocol responses. Validation of the + desc "Without path validation, an informed trust decision by the relying party cannot be made when +presented with any certificate not already explicitly trusted. + +A trust anchor is an +authoritative entity represented via a public key and associated data. It is used in the +context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When +there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can +be, for example, a Certification Authority (CA). A certification path starts with the +subject certificate and proceeds through a number of intermediate certificates up to a +trusted root certificate, typically issued by a trusted CA. + +This requirement verifies +that a certification path to an accepted trust anchor is used for certificate validation and +that the path includes status information. Path validation is necessary for a relying party +to make an informed trust decision when presented with any certificate not already +explicitly trusted. Status information for certification paths includes certificate +revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. " - desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates -by constructing a certification path to an accepted trust anchor. - -Determine which pkcs11 -module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" -and then ensure \"ca\" is enabled in \"cert_policy\" with the following command: - -$ sudo grep -use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc -{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca - -cert_policy = -ca,signature,ocsp_on; - -If \"cert_policy\" is not set to \"ca\" or the line is commented out, + desc 'check', "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates +by constructing a certification path to an accepted trust anchor. + +Determine which pkcs11 +module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" +and then ensure \"ca\" is enabled in \"cert_policy\" with the following command: + +$ sudo grep +use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc +{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca + +cert_policy = +ca,signature,ocsp_on; + +If \"cert_policy\" is not set to \"ca\" or the line is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to validate -certificates by constructing a certification path to an accepted trust anchor. - -Determine -which pkcs11 module is being used via the \"use_pkcs11_module\" in -\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\". - -Add or -update the \"cert_policy\" to ensure \"ca\" is enabled: - -cert_policy = ca,signature,ocsp_on; + desc 'fix', "Configure the Ubuntu operating system, for PKI-based authentication, to validate +certificates by constructing a certification path to an accepted trust anchor. + +Determine +which pkcs11 module is being used via the \"use_pkcs11_module\" in +\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\". + +Add or +update the \"cert_policy\" to ensure \"ca\" is enabled: + +cert_policy = ca,signature,ocsp_on; + - -If the system is missing an \"/etc/pam_pkcs11/\" directory and an -\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify -accordingly at +If the system is missing an \"/etc/pam_pkcs11/\" directory and an +\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify +accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000066-GPOS-00034 " - tag gid: "V-238229 " - tag rid: "SV-238229r653862_rule " - tag stig_id: "UBTU-20-010060 " - tag fix_id: "F-41398r653861_fix " - tag cci: ["CCI-000185"] - tag nist: ["IA-5 (2) (b) (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000066-GPOS-00034 ' + tag gid: 'V-238229 ' + tag rid: 'SV-238229r653862_rule ' + tag stig_id: 'UBTU-20-010060 ' + tag fix_id: 'F-41398r653861_fix ' + tag cci: ['CCI-000185'] + tag nist: ['IA-5 (2) (b) (1)'] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -79,4 +77,4 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index bb81300..1c09f9d 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 - -control "SV-238230" do - title "The Ubuntu operating system must implement multifactor authentication for remote access to -privileged accounts in such a way that one of the factors is provided by a device separate from +control 'SV-238230' do + title "The Ubuntu operating system must implement multifactor authentication for remote access to +privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. " - desc "Using an authentication device, such as a CAC or token that is separate from the information -system, ensures that even if the information system is compromised, that compromise will not -affect credentials stored on the authentication device. - -Multifactor solutions that -require devices separate from information systems gaining access include, for example, -hardware tokens providing time-based or challenge-response authenticators and smart -cards such as the U.S. Government Personal Identity Verification card and the DoD Common -Access Card. - -A privileged account is defined as an information system account with -authorizations of a privileged user. - -Remote access is access to DoD nonpublic information -systems by an authorized user (or an information system) communicating through an external, -non-organization-controlled network. Remote access methods include, for example, -dial-up, broadband, and wireless. - -This requirement only applies to components where this -is specific to the function of the device or has the concept of an organizational user (e.g., -VPN, proxy capability). This does not apply to authentication for the purpose of configuring + desc "Using an authentication device, such as a CAC or token that is separate from the information +system, ensures that even if the information system is compromised, that compromise will not +affect credentials stored on the authentication device. + +Multifactor solutions that +require devices separate from information systems gaining access include, for example, +hardware tokens providing time-based or challenge-response authenticators and smart +cards such as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + +A privileged account is defined as an information system account with +authorizations of a privileged user. + +Remote access is access to DoD nonpublic information +systems by an authorized user (or an information system) communicating through an external, +non-organization-controlled network. Remote access methods include, for example, +dial-up, broadband, and wireless. + +This requirement only applies to components where this +is specific to the function of the device or has the concept of an organizational user (e.g., +VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). " - desc "check", "Verify the Ubuntu operating system has the packages required for multifactor -authentication installed with the following commands: - -$ dpkg -l | grep libpam-pkcs11 - -ii -libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards - -If the + desc 'check', "Verify the Ubuntu operating system has the packages required for multifactor +authentication installed with the following commands: + +$ dpkg -l | grep libpam-pkcs11 + +ii +libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards + +If the \"libpam-pkcs11\" package is not installed, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to implement multifactor authentication by -installing the required packages. - -Install the \"libpam-pkcs11\" package on the system with -the following command: - + desc 'fix', "Configure the Ubuntu operating system to implement multifactor authentication by +installing the required packages. + +Install the \"libpam-pkcs11\" package on the system with +the following command: + $ sudo apt install libpam-pkcs11 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000375-GPOS-00160 " - tag gid: "V-238230 " - tag rid: "SV-238230r853410_rule " - tag stig_id: "UBTU-20-010063 " - tag fix_id: "F-41399r653864_fix " - tag cci: ["CCI-001948"] - tag nist: ["IA-2 (11)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000375-GPOS-00160 ' + tag gid: 'V-238230 ' + tag rid: 'SV-238230r853410_rule ' + tag stig_id: 'UBTU-20-010063 ' + tag fix_id: 'F-41399r653864_fix ' + tag cci: ['CCI-001948'] + tag nist: ['IA-2 (11)'] describe package('libpam-pkcs11') do it { should be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 72a1859..907f5ef 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -1,45 +1,43 @@ -# encoding: UTF-8 - -control "SV-238231" do - title "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. " - desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized -access. - -DoD has mandated the use of the CAC to support identity management and personal -authentication for systems covered under Homeland Security Presidential Directive (HSPD) -12, as well as making the CAC a primary component of layered protection for national security +control 'SV-238231' do + title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ' + desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security systems. " - desc "check", "Verify the Ubuntu operating system accepts PIV credentials. - -Verify the \"opensc-pcks11\" -package is installed on the system with the following command: - -$ dpkg -l | grep -opensc-pkcs11 - -ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with -support for PKCS#15 compatible cards - -If the \"opensc-pcks11\" package is not installed, + desc 'check', "Verify the Ubuntu operating system accepts PIV credentials. + +Verify the \"opensc-pcks11\" +package is installed on the system with the following command: + +$ dpkg -l | grep +opensc-pkcs11 + +ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with +support for PKCS#15 compatible cards + +If the \"opensc-pcks11\" package is not installed, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to accept PIV credentials. - -Install the -\"opensc-pkcs11\" package using the following command: - -$ sudo apt-get install + desc 'fix', "Configure the Ubuntu operating system to accept PIV credentials. + +Install the +\"opensc-pkcs11\" package using the following command: + +$ sudo apt-get install opensc-pkcs11 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000376-GPOS-00161 " - tag gid: "V-238231 " - tag rid: "SV-238231r853411_rule " - tag stig_id: "UBTU-20-010064 " - tag fix_id: "F-41400r653867_fix " - tag cci: ["CCI-001953"] - tag nist: ["IA-2 (12)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000376-GPOS-00161 ' + tag gid: 'V-238231 ' + tag rid: 'SV-238231r853411_rule ' + tag stig_id: 'UBTU-20-010064 ' + tag fix_id: 'F-41400r653867_fix ' + tag cci: ['CCI-001953'] + tag nist: ['IA-2 (12)'] describe package('opensc-pkcs11') do it { should be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 5687bf8..448cc9b 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -1,43 +1,41 @@ -# encoding: UTF-8 - -control "SV-238232" do - title "The Ubuntu operating system must electronically verify Personal Identity Verification +control 'SV-238232' do + title "The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials. " - desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized -access. - -DoD has mandated the use of the CAC to support identity management and personal -authentication for systems covered under Homeland Security Presidential Directive (HSPD) -12, as well as making the CAC a primary component of layered protection for national security + desc "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized +access. + +DoD has mandated the use of the CAC to support identity management and personal +authentication for systems covered under Homeland Security Presidential Directive (HSPD) +12, as well as making the CAC a primary component of layered protection for national security systems. " - desc "check", "Verify the Ubuntu operating system electronically verifies PIV credentials. - -Verify that -certificate status checking for multifactor authentication is implemented with the -following command: - -$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | -awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | -grep ocsp_on - -cert_policy = ca,signature,ocsp_on; - -If \"cert_policy\" is not set to + desc 'check', "Verify the Ubuntu operating system electronically verifies PIV credentials. + +Verify that +certificate status checking for multifactor authentication is implemented with the +following command: + +$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | +awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | +grep ocsp_on + +cert_policy = ca,signature,ocsp_on; + +If \"cert_policy\" is not set to \"ocsp_on\", or the line is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to do certificate status checking for multifactor -authentication. - -Modify all of the \"cert_policy\" lines in + desc 'fix', "Configure the Ubuntu operating system to do certificate status checking for multifactor +authentication. + +Modify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\". " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000377-GPOS-00162 " - tag gid: "V-238232 " - tag rid: "SV-238232r853412_rule " - tag stig_id: "UBTU-20-010065 " - tag fix_id: "F-41401r653870_fix " - tag cci: ["CCI-001954"] - tag nist: ["IA-2 (12)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000377-GPOS-00162 ' + tag gid: 'V-238232 ' + tag rid: 'SV-238232r853412_rule ' + tag stig_id: 'UBTU-20-010065 ' + tag fix_id: 'F-41401r653870_fix ' + tag cci: ['CCI-001954'] + tag nist: ['IA-2 (12)'] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -50,4 +48,4 @@ it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 1f5c352..3ef0e9b 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -1,46 +1,44 @@ -# encoding: UTF-8 - -control "SV-238233" do - title "The Ubuntu operating system for PKI-based authentication, must implement a local cache of +control 'SV-238233' do + title "The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. " - desc "Without configuring a local cache of revocation data, there is the potential to allow access + desc "Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). " - desc "check", "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation -data when unable to access it from the network. - -Verify that \"crl_offline\" or \"crl_auto\" is -part of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the -following command: - -# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- -'crl_auto|crl_offline' - -cert_policy = ca,signature,ocsp_on,crl_auto; - -If + desc 'check', "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation +data when unable to access it from the network. + +Verify that \"crl_offline\" or \"crl_auto\" is +part of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the +following command: + +# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- +'crl_auto|crl_offline' + +cert_policy = ca,signature,ocsp_on,crl_auto; + +If \"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding. " - desc "fix", "Configure the Ubuntu operating system, for PKI-based authentication, to use local -revocation data when unable to access the network to obtain it remotely. - -Add or update the -\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or -\"crl_offline\". - -cert_policy = ca,signature,ocsp_on, crl_auto; - -If the system is -missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find -an example to copy into place and modify accordingly at + desc 'fix', "Configure the Ubuntu operating system, for PKI-based authentication, to use local +revocation data when unable to access the network to obtain it remotely. + +Add or update the +\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or +\"crl_offline\". + +cert_policy = ca,signature,ocsp_on, crl_auto; + +If the system is +missing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find +an example to copy into place and modify accordingly at \"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000384-GPOS-00167 " - tag gid: "V-238233 " - tag rid: "SV-238233r853413_rule " - tag stig_id: "UBTU-20-010066 " - tag fix_id: "F-41402r653873_fix " - tag cci: ["CCI-001991"] - tag nist: ["IA-5 (2) (d)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000384-GPOS-00167 ' + tag gid: 'V-238233 ' + tag rid: 'SV-238233r853413_rule ' + tag stig_id: 'UBTU-20-010066 ' + tag fix_id: 'F-41402r653873_fix ' + tag cci: ['CCI-001991'] + tag nist: ['IA-5 (2) (d)'] config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists @@ -58,4 +56,4 @@ it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index cf5256a..db87059 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -1,43 +1,41 @@ -# encoding: UTF-8 - -control "SV-238234" do - title "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. " - desc "Password complexity, or strength, is a measure of the effectiveness of a password in -resisting attempts at guessing and brute-force attacks. If the information system or -application allows the user to consecutively reuse their password when that password has -exceeded its defined lifetime, the end result is a password that is not changed as per policy +control 'SV-238234' do + title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ' + desc "Password complexity, or strength, is a measure of the effectiveness of a password in +resisting attempts at guessing and brute-force attacks. If the information system or +application allows the user to consecutively reuse their password when that password has +exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. " - desc "check", "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five + desc 'check', "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command: -$ grep -i remember +$ grep -i remember /etc/pam.d/common-password -password [success=1 default=ignore] pam_unix.so obscure +password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000 -If the \"remember\" parameter value is not greater +If the \"remember\" parameter value is not greater than or equal to \"5\", is commented out, or is not set at all, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of + desc 'fix', "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of five generations. -Add or modify the \"remember\" parameter value to the following line in +Add or modify the \"remember\" parameter value to the following line in \"/etc/pam.d/common-password\" file: -password [success=1 default=ignore] pam_unix.so +password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000077-GPOS-00045 " - tag satisfies: ["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"] - tag gid: "V-238234 " - tag rid: "SV-238234r832945_rule " - tag stig_id: "UBTU-20-010070 " - tag fix_id: "F-41403r832944_fix " - tag cci: ["CCI-000196","CCI-000200"] - tag nist: ["IA-5 (1) (c)","IA-5 (1) (e)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000077-GPOS-00045 ' + tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041) + tag gid: 'V-238234 ' + tag rid: 'SV-238234r832945_rule ' + tag stig_id: 'UBTU-20-010070 ' + tag fix_id: 'F-41403r832944_fix ' + tag cci: %w(CCI-000196 CCI-000200) + tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)'] describe file('/etc/pam.d/common-password') do it { should exist } @@ -47,4 +45,4 @@ its('exit_status') { should eq 0 } its('stdout.strip') { should cmp >= 5 } end -end \ No newline at end of file +end diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index e52eef5..bd1c9d1 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -1,61 +1,59 @@ -# encoding: UTF-8 - -control "SV-238235" do - title "The Ubuntu operating system must automatically lock an account until the locked account is +control 'SV-238235' do + title "The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made. " - desc "By limiting the number of failed logon attempts, the risk of unauthorized system access via -user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by + desc "By limiting the number of failed logon attempts, the risk of unauthorized system access via +user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. " - desc "check", "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the + desc 'check', "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the following command: -$ grep faillock /etc/pam.d/common-auth +$ grep faillock /etc/pam.d/common-auth -auth [default=die] +auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -If the -pam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a +If the +pam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a finding. Verify the pam_faillock module is configured to use the following options: -$ -sudo egrep 'silent|audit|deny|fail_interval| unlock_time' +$ +sudo egrep 'silent|audit|deny|fail_interval| unlock_time' /etc/security/faillock.conf audit silent deny = 3 fail_interval = 900 -unlock_time = +unlock_time = 0 If the \"silent\" keyword is missing or commented out, this is a finding. -If the \"audit\" +If the \"audit\" keyword is missing or commented out, this is a finding. -If the \"deny\" keyword is missing, +If the \"deny\" keyword is missing, commented out, or set to a value greater than 3, this is a finding. -If the \"fail_interval\" +If the \"fail_interval\" keyword is missing, commented out, or set to a value greater than 900, this is a finding. -If the +If the \"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module. + desc 'fix', "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module. -Edit the -/etc/pam.d/common-auth file. +Edit the +/etc/pam.d/common-auth file. -Add the following lines below the \"auth\" definition for +Add the following lines below the \"auth\" definition for pam_unix.so: auth [default=die] pam_faillock.so authfail -auth sufficient +auth sufficient pam_faillock.so authsucc -Configure the \"pam_faillock\" module to use the following +Configure the \"pam_faillock\" module to use the following options: -Edit the /etc/security/faillock.conf file and add/update the following +Edit the /etc/security/faillock.conf file and add/update the following keywords and values: audit silent @@ -63,15 +61,15 @@ fail_interval = 900 unlock_time = 0 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000329-GPOS-00128 " - tag satisfies: ["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"] - tag gid: "V-238235 " - tag rid: "SV-238235r853414_rule " - tag stig_id: "UBTU-20-010072 " - tag fix_id: "F-41404r802382_fix " - tag cci: ["CCI-000044","CCI-002238"] - tag nist: ["AC-7 a","AC-7 b"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000329-GPOS-00128 ' + tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005) + tag gid: 'V-238235 ' + tag rid: 'SV-238235r853414_rule ' + tag stig_id: 'UBTU-20-010072 ' + tag fix_id: 'F-41404r802382_fix ' + tag cci: %w(CCI-000044 CCI-002238) + tag nist: ['AC-7 a', 'AC-7 b'] describe file('/etc/pam.d/common-auth') do it { should exist } @@ -82,4 +80,4 @@ its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } end -end \ No newline at end of file +end diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index 4b2e40e..3e95ddb 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -1,80 +1,78 @@ -# encoding: UTF-8 - -control "SV-238236" do - title "The Ubuntu operating system must be configured so that the script which runs each 30 days or +control 'SV-238236' do + title "The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. " - desc "Without verification of the security functions, security functions may not operate -correctly and the failure may go unnoticed. Security function is defined as the hardware, -software, and/or firmware of the information system responsible for enforcing the system -security policy and supporting the isolation of code and data on which the protection is -based. Security functionality includes, but is not limited to, establishing system -accounts, configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - -Notifications -provided by information systems include, for example, electronic alerts to System -Administrators, messages to local computer consoles, and/or hardware indications, such as -lights. - -This requirement applies to the Ubuntu operating system performing security -function verification/testing and/or systems and environments that require this + desc "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +Notifications +provided by information systems include, for example, electronic alerts to System +Administrators, messages to local computer consoles, and/or hardware indications, such as +lights. + +This requirement applies to the Ubuntu operating system performing security +function verification/testing and/or systems and environments that require this functionality. " - desc "check", "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to -check file integrity each 30 days or less is unchanged. - -Download the original aide-common -package in the /tmp directory: - -$ cd /tmp; apt download aide-common - -Fetch the SHA1 of the -original script file: - -$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO -./usr/share/aide/config/cron.daily/aide | sha1sum - -32958374f18871e3f7dda27a58d721f471843e26 - - -Compare with the SHA1 of the file in the -daily or monthly cron directory: - -$ sha1sum /etc/cron.{daily,monthly}/aide -2>/dev/null -32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide - -If -there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the + desc 'check', "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to +check file integrity each 30 days or less is unchanged. + +Download the original aide-common +package in the /tmp directory: + +$ cd /tmp; apt download aide-common + +Fetch the SHA1 of the +original script file: + +$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO +./usr/share/aide/config/cron.daily/aide | sha1sum + +32958374f18871e3f7dda27a58d721f471843e26 - + +Compare with the SHA1 of the file in the +daily or monthly cron directory: + +$ sha1sum /etc/cron.{daily,monthly}/aide +2>/dev/null +32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide + +If +there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding. " - desc "fix", "The cron file for AIDE is fairly complex as it creates the report. This file is installed with -the \"aide-common\" package, and the default can be restored by copying it from the package: - - -Download the original package to the /tmp dir: - -$ cd /tmp; apt download aide-common - - -Extract the aide script to its original place: - -$ dpkg-deb --fsys-tarfile -/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C / - - -Copy it to the cron.daily directory: - -$ sudo cp -f + desc 'fix', "The cron file for AIDE is fairly complex as it creates the report. This file is installed with +the \"aide-common\" package, and the default can be restored by copying it from the package: + + +Download the original package to the /tmp dir: + +$ cd /tmp; apt download aide-common + + +Extract the aide script to its original place: + +$ dpkg-deb --fsys-tarfile +/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C / + + +Copy it to the cron.daily directory: + +$ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000446-GPOS-00200 " - tag gid: "V-238236 " - tag rid: "SV-238236r853415_rule " - tag stig_id: "UBTU-20-010074 " - tag fix_id: "F-41405r653882_fix " - tag cci: ["CCI-002699"] - tag nist: ["SI-6 b"] - - describe("Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.") do - skip("manual test") + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000446-GPOS-00200 ' + tag gid: 'V-238236 ' + tag rid: 'SV-238236r853415_rule ' + tag stig_id: 'UBTU-20-010074 ' + tag fix_id: 'F-41405r653882_fix ' + tag cci: ['CCI-002699'] + tag nist: ['SI-6 b'] + + describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do + skip('manual test') end -end \ No newline at end of file +end diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index 59b6f50..4b16231 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -1,37 +1,35 @@ -# encoding: UTF-8 - -control "SV-238237" do - title "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts +control 'SV-238237' do + title "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. " - desc "Limiting the number of logon attempts over a certain time interval reduces the chances that an + desc "Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account. " - desc "check", "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon -prompts following a failed logon attempt with the following command: - -$ grep pam_faildelay -/etc/pam.d/common-auth - -auth required pam_faildelay.so delay=4000000 - -If the line is + desc 'check', "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon +prompts following a failed logon attempt with the following command: + +$ grep pam_faildelay +/etc/pam.d/common-auth + +auth required pam_faildelay.so delay=4000000 + +If the line is not present or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon -prompts following a failed logon attempt. - -Edit the file \"/etc/pam.d/common-auth\" and set -the parameter \"pam_faildelay\" to a value of 4000000 or greater: - -auth required + desc 'fix', "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon +prompts following a failed logon attempt. + +Edit the file \"/etc/pam.d/common-auth\" and set +the parameter \"pam_faildelay\" to a value of 4000000 or greater: + +auth required pam_faildelay.so delay=4000000 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000480-GPOS-00226 " - tag gid: "V-238237 " - tag rid: "SV-238237r653886_rule " - tag stig_id: "UBTU-20-010075 " - tag fix_id: "F-41406r653885_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000480-GPOS-00226 ' + tag gid: 'V-238237 ' + tag rid: 'SV-238237r653886_rule ' + tag stig_id: 'UBTU-20-010075 ' + tag fix_id: 'F-41406r653885_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe file('/etc/pam.d/common-auth') do it { should exist } @@ -47,4 +45,4 @@ it { should cmp >= 4_000_000 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index d388e28..3d098d2 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 - -control "SV-238238" do - title "The Ubuntu operating system must generate audit records for all account creations, +control 'SV-238238' do + title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. " - desc "Once an attacker establishes access to a system, the attacker often attempts to create a -persistent method of reestablishing access. One way to accomplish this is for the attacker to -create an account. Auditing account creation actions provides logging that can be used for -forensic purposes. - -To address access requirements, many operating systems may be -integrated with enterprise level authentication/access/auditing mechanisms that meet or + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. " - desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/passwd\". - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -passwd - --w /etc/passwd -p wa -k usergroup_modification - -If the command does not return a -line that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/passwd\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +passwd + +-w /etc/passwd -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/passwd\". - -Add or -update the following rule to \"/etc/audit/rules.d/stig.rules\": - --w /etc/passwd -p wa -k -usergroup_modification - -To reload the rules file, issue the following command: - -$ sudo + desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/passwd\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/passwd -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000004-GPOS-00004 " - tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"] - tag gid: "V-238238 " - tag rid: "SV-238238r853416_rule " - tag stig_id: "UBTU-20-010100 " - tag fix_id: "F-41407r653888_fix " - tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] - tag nist: ["AC-2 (4)","AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000004-GPOS-00004 ' + tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221) + tag gid: 'V-238238 ' + tag rid: 'SV-238238r853416_rule ' + tag stig_id: 'UBTU-20-010100 ' + tag fix_id: 'F-41407r653888_fix ' + tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) + tag nist: ['AC-2 (4)', 'AU-12 c'] - @audit_file = '/etc/passwd' + @audit_file = '/etc/passwd' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist @@ -72,9 +70,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 15ac0fa..7f6e1d3 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238239" do - title "The Ubuntu operating system must generate audit records for all account creations, +control 'SV-238239' do + title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. " - desc "Once an attacker establishes access to a system, the attacker often attempts to create a -persistent method of reestablishing access. One way to accomplish this is for the attacker to -create an account. Auditing account creation actions provides logging that can be used for -forensic purposes. - -To address access requirements, many operating systems may be -integrated with enterprise level authentication/access/auditing mechanisms that meet or + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. " - desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/group\". - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -group - --w /etc/group -p wa -k usergroup_modification - -If the command does not return a line -that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/group\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +group + +-w /etc/group -p wa -k usergroup_modification + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/group\". - -Add or -update the following rule to \"/etc/audit/rules.d/stig.rules\": - --w /etc/group -p wa -k -usergroup_modification - -To reload the rules file, issue the following command: - -$ sudo + desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/group\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/group -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000004-GPOS-00004 " - tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] - tag gid: "V-238239 " - tag rid: "SV-238239r853417_rule " - tag stig_id: "UBTU-20-010101 " - tag fix_id: "F-41408r653891_fix " - tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] - tag nist: ["AC-2 (4)","AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000004-GPOS-00004 ' + tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) + tag gid: 'V-238239 ' + tag rid: 'SV-238239r853417_rule ' + tag stig_id: 'UBTU-20-010101 ' + tag fix_id: 'F-41408r653891_fix ' + tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) + tag nist: ['AC-2 (4)', 'AU-12 c'] @audit_file = '/etc/group' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -71,9 +69,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index 83493ae..6d560ca 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238240" do - title "The Ubuntu operating system must generate audit records for all account creations, +control 'SV-238240' do + title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. " - desc "Once an attacker establishes access to a system, the attacker often attempts to create a -persistent method of reestablishing access. One way to accomplish this is for the attacker to -create an account. Auditing account creation actions provides logging that can be used for -forensic purposes. - -To address access requirements, many operating systems may be -integrated with enterprise level authentication/access/auditing mechanisms that meet or + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. " - desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/shadow\". - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -shadow - --w /etc/shadow -p wa -k usergroup_modification - -If the command does not return a -line that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/shadow\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +shadow + +-w /etc/shadow -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/shadow\". - -Add or -update the following rule to \"/etc/audit/rules.d/stig.rules\": - --w /etc/shadow -p wa -k -usergroup_modification - -To reload the rules file, issue the following command: - -$ sudo + desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/shadow\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/shadow -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000004-GPOS-00004 " - tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] - tag gid: "V-238240 " - tag rid: "SV-238240r853418_rule " - tag stig_id: "UBTU-20-010102 " - tag fix_id: "F-41409r653894_fix " - tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] - tag nist: ["AC-2 (4)","AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000004-GPOS-00004 ' + tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) + tag gid: 'V-238240 ' + tag rid: 'SV-238240r853418_rule ' + tag stig_id: 'UBTU-20-010102 ' + tag fix_id: 'F-41409r653894_fix ' + tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) + tag nist: ['AC-2 (4)', 'AU-12 c'] @audit_file = '/etc/shadow' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -71,9 +69,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index eb1e256..07c3f71 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238241" do - title "The Ubuntu operating system must generate audit records for all account creations, +control 'SV-238241' do + title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. " - desc "Once an attacker establishes access to a system, the attacker often attempts to create a -persistent method of reestablishing access. One way to accomplish this is for the attacker to -create an account. Auditing account creation actions provides logging that can be used for -forensic purposes. - -To address access requirements, many operating systems may be -integrated with enterprise level authentication/access/auditing mechanisms that meet or + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. " - desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/gshadow\". - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -gshadow - --w /etc/gshadow -p wa -k usergroup_modification - -If the command does not return a -line that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/gshadow\". + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep +gshadow + +-w /etc/gshadow -p wa -k usergroup_modification + +If the command does not return a +line that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/gshadow\". - -Add or -update the following rule to \"/etc/audit/rules.d/stig.rules\": - --w /etc/gshadow -p wa -k -usergroup_modification - -To reload the rules file, issue the following command: - -$ sudo + desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/gshadow\". + +Add or +update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w /etc/gshadow -p wa -k +usergroup_modification + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000004-GPOS-00004 " - tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] - tag gid: "V-238241 " - tag rid: "SV-238241r853419_rule " - tag stig_id: "UBTU-20-010103 " - tag fix_id: "F-41410r653897_fix " - tag cci: ["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] - tag nist: ["AU-12 c","AC-2 (4)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000004-GPOS-00004 ' + tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) + tag gid: 'V-238241 ' + tag rid: 'SV-238241r853419_rule ' + tag stig_id: 'UBTU-20-010103 ' + tag fix_id: 'F-41410r653897_fix ' + tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) + tag nist: ['AU-12 c', 'AC-2 (4)'] @audit_file = '/etc/gshadow' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -71,9 +69,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index adb4bd4..ba0986f 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238242" do - title "The Ubuntu operating system must generate audit records for all account creations, +control 'SV-238242' do + title "The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. " - desc "Once an attacker establishes access to a system, the attacker often attempts to create a -persistent method of reestablishing access. One way to accomplish this is for the attacker to -create an account. Auditing account creation actions provides logging that can be used for -forensic purposes. - -To address access requirements, many operating systems may be -integrated with enterprise level authentication/access/auditing mechanisms that meet or -exceed access control policy requirements. + desc "Once an attacker establishes access to a system, the attacker often attempts to create a +persistent method of reestablishing access. One way to accomplish this is for the attacker to +create an account. Auditing account creation actions provides logging that can be used for +forensic purposes. + +To address access requirements, many operating systems may be +integrated with enterprise level authentication/access/auditing mechanisms that meet or +exceed access control policy requirements. " - desc "check", "Verify the Ubuntu operating system generates audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/security/opasswd\". - - -Check the currently configured audit rules with the following command: - -$ sudo auditctl -l -| grep opasswd - --w /etc/security/opasswd -p wa -k usergroup_modification - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does + desc 'check', "Verify the Ubuntu operating system generates audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/security/opasswd\". + + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l +| grep opasswd + +-w /etc/security/opasswd -p wa -k usergroup_modification + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records for all account creations, -modifications, disabling, and termination events that affect \"/etc/security/opasswd\". - - -Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": - --w -/etc/security/opasswd -p wa -k usergroup_modification - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the Ubuntu operating system to generate audit records for all account creations, +modifications, disabling, and termination events that affect \"/etc/security/opasswd\". + + +Add or update the following rule to \"/etc/audit/rules.d/stig.rules\": + +-w +/etc/security/opasswd -p wa -k usergroup_modification + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000004-GPOS-00004 " - tag satisfies: ["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"] - tag gid: "V-238242 " - tag rid: "SV-238242r853420_rule " - tag stig_id: "UBTU-20-010104 " - tag fix_id: "F-41411r653900_fix " - tag cci: ["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"] - tag nist: ["AC-2 (4)","AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000004-GPOS-00004 ' + tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221) + tag gid: 'V-238242 ' + tag rid: 'SV-238242r853420_rule ' + tag stig_id: 'UBTU-20-010104 ' + tag fix_id: 'F-41411r653900_fix ' + tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) + tag nist: ['AC-2 (4)', 'AU-12 c'] @audit_file = '/etc/security/opasswd' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? @@ -71,9 +69,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index 9425dc4..cf7f724 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238243" do - title "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit +control 'SV-238243' do + title "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. " - desc "It is critical for the appropriate personnel to be aware if a system is at risk of failing to -process audit logs as required. Without this notification, the security personnel may be -unaware of an impending failure of the audit capability, and system operation may be -adversely affected. - -Audit processing failures include software/hardware errors, -failures in the audit capturing mechanisms, and audit storage capacity being reached or -exceeded. - -This requirement applies to each audit data storage repository (i.e., distinct -information system component where audit records are stored), the centralized audit -storage capacity of organizations (i.e., all audit data storage repositories combined), or + desc "It is critical for the appropriate personnel to be aware if a system is at risk of failing to +process audit logs as required. Without this notification, the security personnel may be +unaware of an impending failure of the audit capability, and system operation may be +adversely affected. + +Audit processing failures include software/hardware errors, +failures in the audit capturing mechanisms, and audit storage capacity being reached or +exceeded. + +This requirement applies to each audit data storage repository (i.e., distinct +information system component where audit records are stored), the centralized audit +storage capacity of organizations (i.e., all audit data storage repositories combined), or both. " - desc "check", "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing -failure with the following command: - -$ sudo grep '^action_mail_acct = root' -/etc/audit/auditd.conf - -action_mail_acct = <administrator_account> - -If the -value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the -\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a + desc 'check', "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing +failure with the following command: + +$ sudo grep '^action_mail_acct = root' +/etc/audit/auditd.conf + +action_mail_acct = <administrator_account> + +If the +value of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the +\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a finding. " - desc "fix", "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing -failure. - -Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators -are notified via email for those situations: - -action_mail_acct = -<administrator_account> - -Note: Change \"administrator_account\" to an account for -security personnel. - -Restart the \"auditd\" service so the changes take effect: - -$ sudo + desc 'fix', "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing +failure. + +Edit the following line in \"/etc/audit/auditd.conf\" to ensure administrators +are notified via email for those situations: + +action_mail_acct = +<administrator_account> + +Note: Change \"administrator_account\" to an account for +security personnel. + +Restart the \"auditd\" service so the changes take effect: + +$ sudo systemctl restart auditd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000046-GPOS-00022 " - tag gid: "V-238243 " - tag rid: "SV-238243r653904_rule " - tag stig_id: "UBTU-20-010117 " - tag fix_id: "F-41412r653903_fix " - tag cci: ["CCI-000139"] - tag nist: ["AU-5 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000046-GPOS-00022 ' + tag gid: 'V-238243 ' + tag rid: 'SV-238243r653904_rule ' + tag stig_id: 'UBTU-20-010117 ' + tag fix_id: 'F-41412r653903_fix ' + tag cci: ['CCI-000139'] + tag nist: ['AU-5 a'] action_mail_acct = auditd_conf.action_mail_acct security_accounts = input('action_mail_acct') @@ -61,4 +59,4 @@ subject { security_accounts } it { should cmp action_mail_acct } end -end \ No newline at end of file +end diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index ad51b7b..d8e7592 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -1,64 +1,62 @@ -# encoding: UTF-8 - -control "SV-238244" do - title "The Ubuntu operating system must shut down by default upon audit failure (unless +control 'SV-238244' do + title "The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern). " - desc "It is critical that when the operating system is at risk of failing to process audit logs as -required, it takes action to mitigate the failure. Audit processing failures include: -software/hardware errors; failures in the audit capturing mechanisms; and audit storage -capacity being reached or exceeded. Responses to audit failure depend upon the nature of the -failure mode. - -When availability is an overriding concern, other approved actions in -response to an audit failure are as follows: - -1) If the failure was caused by the lack of audit -record storage capacity, the operating system must continue generating audit records if -possible (automatically restarting the audit service if necessary), overwriting the -oldest audit records in a first-in-first-out manner. - -2) If audit records are sent to a -centralized collection server and communication with this server is lost or the server -fails, the operating system must queue audit records locally until communication is -restored or until the audit records are retrieved manually. Upon restoration of the -connection to the centralized collection server, action should be taken to synchronize the + desc "It is critical that when the operating system is at risk of failing to process audit logs as +required, it takes action to mitigate the failure. Audit processing failures include: +software/hardware errors; failures in the audit capturing mechanisms; and audit storage +capacity being reached or exceeded. Responses to audit failure depend upon the nature of the +failure mode. + +When availability is an overriding concern, other approved actions in +response to an audit failure are as follows: + +1) If the failure was caused by the lack of audit +record storage capacity, the operating system must continue generating audit records if +possible (automatically restarting the audit service if necessary), overwriting the +oldest audit records in a first-in-first-out manner. + +2) If audit records are sent to a +centralized collection server and communication with this server is lost or the server +fails, the operating system must queue audit records locally until communication is +restored or until the audit records are retrieved manually. Upon restoration of the +connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. " - desc "check", "Verify the Ubuntu operating system takes the appropriate action when the audit storage -volume is full with the following command: - -$ sudo grep '^disk_full_action' -/etc/audit/auditd.conf - -disk_full_action = HALT - -If the value of the -\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented + desc 'check', "Verify the Ubuntu operating system takes the appropriate action when the audit storage +volume is full with the following command: + +$ sudo grep '^disk_full_action' +/etc/audit/auditd.conf + +disk_full_action = HALT + +If the value of the +\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to shut down by default upon audit failure (unless -availability is an overriding concern). - -Add or update the following line (depending on -configuration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in -\"/etc/audit/auditd.conf\" file: - -disk_full_action = HALT - -Restart the \"auditd\" service -so the changes take effect: - + desc 'fix', "Configure the Ubuntu operating system to shut down by default upon audit failure (unless +availability is an overriding concern). + +Add or update the following line (depending on +configuration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in +\"/etc/audit/auditd.conf\" file: + +disk_full_action = HALT + +Restart the \"auditd\" service +so the changes take effect: + $ sudo systemctl restart auditd.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000047-GPOS-00023 " - tag gid: "V-238244 " - tag rid: "SV-238244r653907_rule " - tag stig_id: "UBTU-20-010118 " - tag fix_id: "F-41413r653906_fix " - tag cci: ["CCI-000140"] - tag nist: ["AU-5 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000047-GPOS-00023 ' + tag gid: 'V-238244 ' + tag rid: 'SV-238244r653907_rule ' + tag stig_id: 'UBTU-20-010118 ' + tag fix_id: 'F-41413r653906_fix ' + tag cci: ['CCI-000140'] + tag nist: ['AU-5 b'] describe auditd_conf do its('disk_full_action') { should_not be_empty } its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } end -end \ No newline at end of file +end diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 60de48f..0955631 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 - -control "SV-238245" do - title "The Ubuntu operating system must be configured so that audit log files are not read or +control 'SV-238245' do + title "The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users. " - desc "Unauthorized disclosure of audit records can reveal system and configuration data to -attackers, thus compromising its confidentiality. - -Audit information includes all -information (e.g., audit records, audit settings, audit reports) needed to successfully + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. " - desc "check", "Verify that the audit log files have a mode of \"0600\" or less permissive. - -Determine where the -audit logs are stored with the following command: - -$ sudo grep -iw log_file -/etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Using the path of the -directory containing the audit logs, determine if the audit log files have a mode of \"0600\" or -less by using the following command: - -$ sudo stat -c \"%n %a\" /var/log/audit/* + desc 'check', "Verify that the audit log files have a mode of \"0600\" or less permissive. + +Determine where the +audit logs are stored with the following command: + +$ sudo grep -iw log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, determine if the audit log files have a mode of \"0600\" or +less by using the following command: + +$ sudo stat -c \"%n %a\" /var/log/audit/* -/var/log/audit/audit.log 600 - -If the audit log files have a mode more permissive than +/var/log/audit/audit.log 600 + +If the audit log files have a mode more permissive than \"0600\", this is a finding. " - desc "fix", "Configure the audit log files to have a mode of \"0600\" or less permissive. - -Determine where -the audit logs are stored with the following command: - -$ sudo grep -iw log_file -/etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Using the path of the -directory containing the audit logs, configure the audit log files to have a mode of \"0600\" or -less permissive by using the following command: - + desc 'fix', "Configure the audit log files to have a mode of \"0600\" or less permissive. + +Determine where +the audit logs are stored with the following command: + +$ sudo grep -iw log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, configure the audit log files to have a mode of \"0600\" or +less permissive by using the following command: + $ sudo chmod 0600 /var/log/audit/* " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000057-GPOS-00027 " - tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"] - tag gid: "V-238245 " - tag rid: "SV-238245r653910_rule " - tag stig_id: "UBTU-20-010122 " - tag fix_id: "F-41414r653909_fix " - tag cci: ["CCI-000162","CCI-000163"] - tag nist: ["AU-9 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000057-GPOS-00027 ' + tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028) + tag gid: 'V-238245 ' + tag rid: 'SV-238245r653910_rule ' + tag stig_id: 'UBTU-20-010122 ' + tag fix_id: 'F-41414r653909_fix ' + tag cci: %w(CCI-000162 CCI-000163) + tag nist: ['AU-9 a'] log_file = auditd_conf.log_file @@ -63,9 +61,9 @@ it { should_not be_more_permissive_than('0600') } end else - describe ('Audit log file ' + log_file + ' exists') do + describe('Audit log file ' + log_file + ' exists') do subject { log_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index a89a174..6e412c4 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238246" do - title "The Ubuntu operating system must be configured to permit only authorized users ownership of +control 'SV-238246' do + title "The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files. " - desc "Unauthorized disclosure of audit records can reveal system and configuration data to -attackers, thus compromising its confidentiality. - -Audit information includes all -information (e.g., audit records, audit settings, audit reports) needed to successfully + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. " - desc "check", "Verify the audit log files are owned by \"root\" account. - -Determine where the audit logs are -stored with the following command: - -$ sudo grep -iw log_file /etc/audit/auditd.conf + desc 'check', "Verify the audit log files are owned by \"root\" account. + +Determine where the audit logs are +stored with the following command: + +$ sudo grep -iw log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Using the path of the directory containing the +audit logs, determine if the audit log files are owned by the \"root\" user by using the following +command: -log_file = /var/log/audit/audit.log - -Using the path of the directory containing the -audit logs, determine if the audit log files are owned by the \"root\" user by using the following -command: - -$ sudo stat -c \"%n %U\" /var/log/audit/* -/var/log/audit/audit.log root - -If the +$ sudo stat -c \"%n %U\" /var/log/audit/* +/var/log/audit/audit.log root + +If the audit log files are owned by an user other than \"root\", this is a finding. " - desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" user. - + desc 'fix', "Configure the audit log directory and its underlying files to be owned by \"root\" user. + + +Determine where the audit logs are stored with the following command: + +$ sudo grep -iw +log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path +of the directory containing the audit logs, configure the audit log files to be owned by \"root\" +user by using the following command: -Determine where the audit logs are stored with the following command: - -$ sudo grep -iw -log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Using the path -of the directory containing the audit logs, configure the audit log files to be owned by \"root\" -user by using the following command: - $ sudo chown root /var/log/audit/* " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000057-GPOS-00027 " - tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"] - tag gid: "V-238246 " - tag rid: "SV-238246r653913_rule " - tag stig_id: "UBTU-20-010123 " - tag fix_id: "F-41415r653912_fix " - tag cci: ["CCI-000162"] - tag nist: ["AU-9 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000057-GPOS-00027 ' + tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029) + tag gid: 'V-238246 ' + tag rid: 'SV-238246r653913_rule ' + tag stig_id: 'UBTU-20-010123 ' + tag fix_id: 'F-41415r653912_fix ' + tag cci: ['CCI-000162'] + tag nist: ['AU-9 a'] log_file = auditd_conf.log_file @@ -62,9 +60,9 @@ its('owner') { should cmp 'root' } end else - describe ('Audit log file ' + log_file + ' exists') do + describe('Audit log file ' + log_file + ' exists') do subject { log_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 8e7b317..62f5531 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -1,62 +1,60 @@ -# encoding: UTF-8 - -control "SV-238247" do - title "The Ubuntu operating system must permit only authorized groups ownership of the audit log +control 'SV-238247' do + title "The Ubuntu operating system must permit only authorized groups ownership of the audit log files. " - desc "Unauthorized disclosure of audit records can reveal system and configuration data to -attackers, thus compromising its confidentiality. - -Audit information includes all -information (e.g., audit records, audit settings, audit reports) needed to successfully + desc "Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. " - desc "check", "Verify the group owner is set to own newly created audit logs in the audit configuration file -with the following command: -$ sudo grep -iw log_group /etc/audit/auditd.conf -log_group = -root + desc 'check', "Verify the group owner is set to own newly created audit logs in the audit configuration file +with the following command: +$ sudo grep -iw log_group /etc/audit/auditd.conf +log_group = +root -If the value of the \"log_group\" parameter is other than \"root\", this is a +If the value of the \"log_group\" parameter is other than \"root\", this is a finding. -Determine where the audit logs are stored with the following command: -$ sudo grep --iw log_file /etc/audit/auditd.conf -log_file = /var/log/audit/audit.log +Determine where the audit logs are stored with the following command: +$ sudo grep +-iw log_file /etc/audit/auditd.conf +log_file = /var/log/audit/audit.log -Using the -path of the directory containing the audit logs, determine if the audit log files are owned by -the \"root\" group by using the following command: -$ sudo stat -c \"%n %G\" /var/log/audit/* +Using the +path of the directory containing the audit logs, determine if the audit log files are owned by +the \"root\" group by using the following command: +$ sudo stat -c \"%n %G\" /var/log/audit/* -/var/log/audit/audit.log root +/var/log/audit/audit.log root -If the audit log files are owned by a group other than +If the audit log files are owned by a group other than \"root\", this is a finding. " - desc "fix", "Configure the audit log directory and its underlying files to be owned by \"root\" group. + desc 'fix', "Configure the audit log directory and its underlying files to be owned by \"root\" group. -Set -the \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log +Set +the \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log file is created, its group owner is properly set: -$ sudo sed -i '/^log_group/D' +$ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf -$ sudo sed -i /^log_file/a'log_group = root' +$ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf -Last, signal the audit daemon to reload the configuration file to +Last, signal the audit daemon to reload the configuration file to update the group owners of existing files: $ sudo systemctl kill auditd -s SIGHUP " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000057-GPOS-00027 " - tag satisfies: ["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"] - tag gid: "V-238247 " - tag rid: "SV-238247r832947_rule " - tag stig_id: "UBTU-20-010124 " - tag fix_id: "F-41416r832946_fix " - tag cci: ["CCI-000162"] - tag nist: ["AU-9 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000057-GPOS-00027 ' + tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029) + tag gid: 'V-238247 ' + tag rid: 'SV-238247r832947_rule ' + tag stig_id: 'UBTU-20-010124 ' + tag fix_id: 'F-41416r832946_fix ' + tag cci: ['CCI-000162'] + tag nist: ['AU-9 a'] log_file = auditd_conf.log_file @@ -66,9 +64,9 @@ its('group') { should cmp 'root' } end else - describe ('Audit log file ' + log_file + ' exists') do + describe('Audit log file ' + log_file + ' exists') do subject { log_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 682a3e4..7dc6686 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -1,64 +1,62 @@ -# encoding: UTF-8 - -control "SV-238248" do - title "The Ubuntu operating system must be configured so that the audit log directory is not +control 'SV-238248' do + title "The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users. " - desc "If audit information were to become compromised, then forensic analysis and discovery of the -true source of potentially malicious system activity is impossible to achieve. - -To ensure -the veracity of audit information, the operating system must protect audit information from -unauthorized deletion. This requirement can be achieved through multiple methods, which -will depend upon system architecture and design. - -Audit information includes all -information (e.g., audit records, audit settings, audit reports) needed to successfully + desc "If audit information were to become compromised, then forensic analysis and discovery of the +true source of potentially malicious system activity is impossible to achieve. + +To ensure +the veracity of audit information, the operating system must protect audit information from +unauthorized deletion. This requirement can be achieved through multiple methods, which +will depend upon system architecture and design. + +Audit information includes all +information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. " - desc "check", "Verify that the audit log directory has a mode of \"0750\" or less permissive. - -Determine where -the audit logs are stored with the following command: - -$ sudo grep -iw ^log_file -/etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Using the path of the -directory containing the audit logs, determine if the directory has a mode of \"0750\" or less by -using the following command: - -$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/* + desc 'check', "Verify that the audit log directory has a mode of \"0750\" or less permissive. + +Determine where +the audit logs are stored with the following command: + +$ sudo grep -iw ^log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, determine if the directory has a mode of \"0750\" or less by +using the following command: -/var/log/audit 750 -/var/log/audit/audit.log 600 - -If the audit log directory has a mode +$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/* + +/var/log/audit 750 +/var/log/audit/audit.log 600 + +If the audit log directory has a mode more permissive than \"0750\", this is a finding. " - desc "fix", "Configure the audit log directory to have a mode of \"0750\" or less permissive. - -Determine -where the audit logs are stored with the following command: - -$ sudo grep -iw ^log_file -/etc/audit/auditd.conf -log_file = /var/log/audit/audit.log - -Using the path of the -directory containing the audit logs, configure the audit log directory to have a mode of -\"0750\" or less permissive by - using the following command: - -$ sudo chmod -R g-w,o-rwx + desc 'fix', "Configure the audit log directory to have a mode of \"0750\" or less permissive. + +Determine +where the audit logs are stored with the following command: + +$ sudo grep -iw ^log_file +/etc/audit/auditd.conf +log_file = /var/log/audit/audit.log + +Using the path of the +directory containing the audit logs, configure the audit log directory to have a mode of +\"0750\" or less permissive by + using the following command: + +$ sudo chmod -R g-w,o-rwx /var/log/audit " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000059-GPOS-00029 " - tag gid: "V-238248 " - tag rid: "SV-238248r653919_rule " - tag stig_id: "UBTU-20-010128 " - tag fix_id: "F-41417r653918_fix " - tag cci: ["CCI-000164"] - tag nist: ["AU-9 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000059-GPOS-00029 ' + tag gid: 'V-238248 ' + tag rid: 'SV-238248r653919_rule ' + tag stig_id: 'UBTU-20-010128 ' + tag fix_id: 'F-41417r653918_fix ' + tag cci: ['CCI-000164'] + tag nist: ['AU-9 a'] log_file = auditd_conf.log_file @@ -68,9 +66,9 @@ it { should_not be_more_permissive_than('0750') } end else - describe ('Audit directory for file ' + log_file + ' exists') do + describe('Audit directory for file ' + log_file + ' exists') do subject { log_dir_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index 39a75eb..5f8e7d2 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238249" do - title "The Ubuntu operating system must be configured so that audit configuration files are not +control 'SV-238249' do + title "The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users. " - desc "Without the capability to restrict which roles and individuals can select which events are -audited, unauthorized personnel may be able to prevent the auditing of critical events. - + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + -Misconfigured audits may degrade the system's performance by overwhelming the audit log. -Misconfigured audits may also make it more difficult to establish, correlate, and +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. " - desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the -following command: - -$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ - -/etc/audit/: - - --rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf - --rw-r----- 1 root root 9128 Dec 27 09:56 -audit.rules - --rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev - --rw-r----- 1 root -root 127 Feb 7 2018 audit-stop.rules - -drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - -/etc/audit/rules.d/: - --rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - -If -\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file + desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the +following command: + +$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + + +-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 +audit.rules + +-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root +root 127 Feb 7 2018 audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If +\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file have a mode more permissive than \"0640\", this is a finding. " - desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command: - -$ + desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command: + +$ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000063-GPOS-00032 " - tag gid: "V-238249 " - tag rid: "SV-238249r653922_rule " - tag stig_id: "UBTU-20-010133 " - tag fix_id: "F-41418r653921_fix " - tag cci: ["CCI-000171"] - tag nist: ["AU-12 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000063-GPOS-00032 ' + tag gid: 'V-238249 ' + tag rid: 'SV-238249r653922_rule ' + tag stig_id: 'UBTU-20-010133 ' + tag fix_id: 'F-41418r653921_fix ' + tag cci: ['CCI-000171'] + tag nist: ['AU-12 b'] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -64,4 +62,4 @@ it { should_not be_more_permissive_than('0640') } end end -end \ No newline at end of file +end diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index c593a9d..2487a1d 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -1,68 +1,66 @@ -# encoding: UTF-8 - -control "SV-238250" do - title "The Ubuntu operating system must permit only authorized accounts to own the audit +control 'SV-238250' do + title "The Ubuntu operating system must permit only authorized accounts to own the audit configuration files. " - desc "Without the capability to restrict which roles and individuals can select which events are -audited, unauthorized personnel may be able to prevent the auditing of critical events. - + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + -Misconfigured audits may degrade the system's performance by overwhelming the audit log. -Misconfigured audits may also make it more difficult to establish, correlate, and +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. " - desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and -\"/etc/audit/auditd.conf\" files are owned by root account by using the following command: - - -$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ - -/etc/audit/: - -drwxr-x--- 3 root root -4096 Nov 25 11:02 . - -drwxr-xr-x 130 root root 12288 Dec 19 13:42 .. - --rw-r----- 1 root root 804 -Nov 25 11:01 auditd.conf - --rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules - --rw-r----- -1 root root 9373 Dec 27 09:56 audit.rules.prev - --rw-r----- 1 root root 127 Feb 7 2018 -audit-stop.rules - -drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - -/etc/audit/rules.d/: - -drwxr-x--- 2 root root 4096 Dec 27 09:56 . - -drwxr-x--- 3 root root -4096 Nov 25 11:02 .. - --rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - -If the -\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file + desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +\"/etc/audit/auditd.conf\" files are owned by root account by using the following command: + + +$ sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + +drwxr-x--- 3 root root +4096 Nov 25 11:02 . + +drwxr-xr-x 130 root root 12288 Dec 19 13:42 .. + +-rw-r----- 1 root root 804 +Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules + +-rw-r----- +1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root root 127 Feb 7 2018 +audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +drwxr-x--- 2 root root 4096 Dec 27 09:56 . + +drwxr-x--- 3 root root +4096 Nov 25 11:02 .. + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If the +\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file is owned by a user other than \"root\", this is a finding. " - desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and -\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command: - -$ + desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and +\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command: + +$ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000063-GPOS-00032 " - tag gid: "V-238250 " - tag rid: "SV-238250r653925_rule " - tag stig_id: "UBTU-20-010134 " - tag fix_id: "F-41419r653924_fix " - tag cci: ["CCI-000171"] - tag nist: ["AU-12 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000063-GPOS-00032 ' + tag gid: 'V-238250 ' + tag rid: 'SV-238250r653925_rule ' + tag stig_id: 'UBTU-20-010134 ' + tag fix_id: 'F-41419r653924_fix ' + tag cci: ['CCI-000171'] + tag nist: ['AU-12 b'] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -74,4 +72,4 @@ its('owner') { should cmp 'root' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 9712b66..65e83e5 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -1,58 +1,56 @@ -# encoding: UTF-8 - -control "SV-238251" do - title "The Ubuntu operating system must permit only authorized groups to own the audit +control 'SV-238251' do + title "The Ubuntu operating system must permit only authorized groups to own the audit configuration files. " - desc "Without the capability to restrict which roles and individuals can select which events are -audited, unauthorized personnel may be able to prevent the auditing of critical events. - + desc "Without the capability to restrict which roles and individuals can select which events are +audited, unauthorized personnel may be able to prevent the auditing of critical events. + -Misconfigured audits may degrade the system's performance by overwhelming the audit log. -Misconfigured audits may also make it more difficult to establish, correlate, and +Misconfigured audits may degrade the system's performance by overwhelming the audit log. +Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. " - desc "check", "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files are owned by root group by using the following command: - -$ -sudo ls -al /etc/audit/ /etc/audit/rules.d/ - -/etc/audit/: - --rw-r----- 1 root root 804 -Nov 25 11:01 auditd.conf - --rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules - --rw-r----- -1 root root 9373 Dec 27 09:56 audit.rules.prev - --rw-r----- 1 root root 127 Feb 7 2018 -audit-stop.rules - -drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d - - -/etc/audit/rules.d/: - --rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules - -If the -\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file + desc 'check', "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files are owned by root group by using the following command: + +$ +sudo ls -al /etc/audit/ /etc/audit/rules.d/ + +/etc/audit/: + +-rw-r----- 1 root root 804 +Nov 25 11:01 auditd.conf + +-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules + +-rw-r----- +1 root root 9373 Dec 27 09:56 audit.rules.prev + +-rw-r----- 1 root root 127 Feb 7 2018 +audit-stop.rules + +drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d + + +/etc/audit/rules.d/: + +-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules + +If the +\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file is owned by a group other than \"root\", this is a finding. " - desc "fix", "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and -\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command: - -$ + desc 'fix', "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and +\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command: + +$ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000063-GPOS-00032 " - tag gid: "V-238251 " - tag rid: "SV-238251r653928_rule " - tag stig_id: "UBTU-20-010135 " - tag fix_id: "F-41420r653927_fix " - tag cci: ["CCI-000171"] - tag nist: ["AU-12 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000063-GPOS-00032 ' + tag gid: 'V-238251 ' + tag rid: 'SV-238251r653928_rule ' + tag stig_id: 'UBTU-20-010135 ' + tag fix_id: 'F-41420r653927_fix ' + tag cci: ['CCI-000171'] + tag nist: ['AU-12 b'] files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries @@ -64,4 +62,4 @@ its('group') { should cmp 'root' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index 54df9c7..c34cfd9 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238252" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238252' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"su\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/bin/su' - --a always,exit -F path=/bin/su -F perm=x -F -auid>=1000 -F auid!=4294967295 -k privileged-priv_change - -If the command does not -return lines that match the example or the lines are commented out, this is a finding. - -Note: -The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need + desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"su\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/bin/su' + +-a always,exit -F path=/bin/su -F perm=x -F +auid>=1000 -F auid!=4294967295 -k privileged-priv_change + +If the command does not +return lines that match the example or the lines are commented out, this is a finding. + +Note: +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to generate audit records when -successful/unsuccessful attempts to use the \"su\" command occur. - -Add or update the -following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change - + desc 'fix', "Configure the Ubuntu operating system to generate audit records when +successful/unsuccessful attempts to use the \"su\" command occur. + +Add or update the +following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change + + +To reload the rules file, issue the following command: -To reload the rules file, issue the following command: - $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238252 " - tag rid: "SV-238252r653931_rule " - tag stig_id: "UBTU-20-010136 " - tag fix_id: "F-41421r653930_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238252 ' + tag rid: 'SV-238252r653931_rule ' + tag stig_id: 'UBTU-20-010136 ' + tag fix_id: 'F-41421r653930_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/bin/su' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 7810ac5..4fc545f 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238253" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238253' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"chfn\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/usr/bin/chfn' - --a always,exit -F -path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string + desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"chfn\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/usr/bin/chfn' + +-a always,exit -F +path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"chfn\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chfn -F perm=x --F auid>=1000 -F auid!=4294967295 -k privileged-chfn - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"chfn\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chfn -F perm=x +-F auid>=1000 -F auid!=4294967295 -k privileged-chfn + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238253 " - tag rid: "SV-238253r653934_rule " - tag stig_id: "UBTU-20-010137 " - tag fix_id: "F-41422r653933_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238253 ' + tag rid: 'SV-238253r653934_rule ' + tag stig_id: 'UBTU-20-010137 ' + tag fix_id: 'F-41422r653933_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/chfn' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 93822d0..24c3b72 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238254" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238254' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful -attempts to use the \"mount\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep '/usr/bin/mount' - --a always,exit -F -path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string + desc 'check', "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful +attempts to use the \"mount\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep '/usr/bin/mount' + +-a always,exit -F +path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"mount\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/mount -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"mount\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/mount -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238254 " - tag rid: "SV-238254r653937_rule " - tag stig_id: "UBTU-20-010138 " - tag fix_id: "F-41423r653936_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238254 ' + tag rid: 'SV-238254r653937_rule ' + tag stig_id: 'UBTU-20-010138 ' + tag fix_id: 'F-41423r653936_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/mount' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index f3cd3ca..179a55c 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238255" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238255' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify if the Ubuntu operating system generates audit records upon -successful/unsuccessful attempts to use the \"umount\" command. - -Check the configured -audit rules with the following commands: - -$ sudo auditctl -l | grep '/usr/bin/umount' - --a -always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-umount - -If the command does not return lines that match the example or the lines -are commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary + desc 'check', "Verify if the Ubuntu operating system generates audit records upon +successful/unsuccessful attempts to use the \"umount\" command. + +Check the configured +audit rules with the following commands: + +$ sudo auditctl -l | grep '/usr/bin/umount' + +-a +always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-umount + +If the command does not return lines that match the example or the lines +are commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"umount\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/umount -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"umount\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/umount -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238255 " - tag rid: "SV-238255r653940_rule " - tag stig_id: "UBTU-20-010139 " - tag fix_id: "F-41424r653939_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238255 ' + tag rid: 'SV-238255r653940_rule ' + tag stig_id: 'UBTU-20-010139 ' + tag fix_id: 'F-41424r653939_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/umount' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 27be2dd..0571b41 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238256" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238256' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"ssh-agent\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep '/usr/bin/ssh-agent' - --a always,exit -F -path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh - -If the -command does not return lines that match the example or the lines are commented out, this is a -finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"ssh-agent\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep '/usr/bin/ssh-agent' + +-a always,exit -F +path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + +If the +command does not return lines that match the example or the lines are commented out, this is a +finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"ssh-agent\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/ssh-agent -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh - -To reload the rules file, -issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"ssh-agent\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/ssh-agent -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh + +To reload the rules file, +issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238256 " - tag rid: "SV-238256r653943_rule " - tag stig_id: "UBTU-20-010140 " - tag fix_id: "F-41425r653942_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238256 ' + tag rid: 'SV-238256r653943_rule ' + tag stig_id: 'UBTU-20-010140 ' + tag fix_id: 'F-41425r653942_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/ssh-agent' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 23757c6..6c78192 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 - -control "SV-238257" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238257' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"ssh-keysign\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep ssh-keysign - --a always,exit -F -path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-ssh - -If the command does not return lines that match the example or the lines are -commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"ssh-keysign\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep ssh-keysign + +-a always,exit -F +path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-ssh + +If the command does not return lines that match the example or the lines are +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"ssh-keysign\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k -privileged-ssh - -To reload the rules file, issue the following command: - -$ sudo augenrules + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"ssh-keysign\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k +privileged-ssh + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238257 " - tag rid: "SV-238257r653946_rule " - tag stig_id: "UBTU-20-010141 " - tag fix_id: "F-41426r653945_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238257 ' + tag rid: 'SV-238257r653946_rule ' + tag stig_id: 'UBTU-20-010141 ' + tag fix_id: 'F-41426r653945_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/lib/openssh/ssh-keysign' @@ -70,9 +68,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index ce0d92e..c851a12 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -1,99 +1,97 @@ -# encoding: UTF-8 - -control "SV-238258" do - title "The Ubuntu operating system must generate audit records for any use of the setxattr, +control 'SV-238258' do + title "The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", -\"fremovexattr\", and \"lremovexattr\" system calls. - -Check the currently configured audit -rules with the following command: - -$ sudo auditctl -l | grep xattr - --a always,exit -F -arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod - -If the command does not return audit rules for the \"setxattr\", \"fsetxattr\", -\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are -commented out, this is a finding. - -Notes: -For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -The \"-k\" allows for specifying an + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", +\"fremovexattr\", and \"lremovexattr\" system calls. + +Check the currently configured audit +rules with the following command: + +$ sudo auditctl -l | grep xattr + +-a always,exit -F +arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod + +If the command does not return audit rules for the \"setxattr\", \"fsetxattr\", +\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are +commented out, this is a finding. + +Notes: +For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and -\"lremovexattr\" system calls. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F -auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S -setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k -perm_mod - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and +\"lremovexattr\" system calls. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F +auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S +setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k +perm_mod + Note: For 32-bit architectures, only the 32-bit specific entries are required. - -To reload the rules file, issue the following command: - + +To reload the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] - tag gid: "V-238258 " - tag rid: "SV-238258r808474_rule " - tag stig_id: "UBTU-20-010142 " - tag fix_id: "F-41427r808473_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) + tag gid: 'V-238258 ' + tag rid: 'SV-238258r808474_rule ' + tag stig_id: 'UBTU-20-010142 ' + tag fix_id: 'F-41427r808473_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - if os.arch == "x86_64" - describe auditd.syscall("setxattr").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } + if os.arch == 'x86_64' + describe auditd.syscall('setxattr').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall("setxattr").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } + describe auditd.syscall('setxattr').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index b9683c8..737f005 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -1,77 +1,75 @@ -# encoding: UTF-8 - -control "SV-238264" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238264' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. - -Check the -configured audit rules with the following commands: - -$ sudo auditctl -l | grep chown - --a -always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k -perm_chng --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 --F auid!=-1 -k perm_chng - -If the command does not return audit rules for the \"chown\", -\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a -finding. - -Notes: -For 32-bit architectures, only the 32-bit specific output lines from the -commands are required. -The \"-k\" allows for specifying an arbitrary identifier, and the + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Check the +configured audit rules with the following commands: + +$ sudo auditctl -l | grep chown + +-a +always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k +perm_chng +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 +-F auid!=-1 -k perm_chng + +If the command does not return audit rules for the \"chown\", +\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a +finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from the +commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. - -Add or update the following -rules in the \"/etc/audit/rules.d/stig.rules\": - --a always,exit -F arch=b32 -S -chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng --a -always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F -auid!=4294967295 -k perm_chng - -Note: For 32-bit architectures, only the 32-bit specific -entries are required. - -To reload the rules file, issue the following command: - -$ sudo + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls. + +Add or update the following +rules in the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S +chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a +always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F +auid!=4294967295 -k perm_chng + +Note: For 32-bit architectures, only the 32-bit specific +entries are required. + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] - tag gid: "V-238264 " - tag rid: "SV-238264r808477_rule " - tag stig_id: "UBTU-20-010148 " - tag fix_id: "F-41433r808476_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) + tag gid: 'V-238264 ' + tag rid: 'SV-238264r808477_rule ' + tag stig_id: 'UBTU-20-010148 ' + tag fix_id: 'F-41433r808476_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - #FIX + # FIX if os.arch == 'x86_64' describe auditd.syscall('chown').where { arch == 'b64' } do @@ -83,4 +81,4 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 9a66f1e..151198e 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -1,76 +1,74 @@ -# encoding: UTF-8 - -control "SV-238268" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238268' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. - -Check the configured -audit rules with the following commands: - -$ sudo auditctl -l | grep chmod - --a always,exit -F -arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng --a -always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k -perm_chng - -If the command does not return audit rules for the \"chmod\", \"fchmod\" and -\"fchmodat\" syscalls or the lines are commented out, this is a finding. - -Notes: -For 32-bit -architectures, only the 32-bit specific output lines from the commands are required. -The -\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Check the configured +audit rules with the following commands: + +$ sudo auditctl -l | grep chmod + +-a always,exit -F +arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng +-a +always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k +perm_chng + +If the command does not return audit rules for the \"chmod\", \"fchmod\" and +\"fchmodat\" syscalls or the lines are commented out, this is a finding. + +Notes: +For 32-bit +architectures, only the 32-bit specific output lines from the commands are required. +The +\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. - -Add or update the following rules in -the \"/etc/audit/rules.d/stig.rules\": - --a always,exit -F arch=b32 -S -chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit --F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng - - -Notes: For 32-bit architectures, only the 32-bit specific entries are required. - -To -reload the rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chmod\", \"fchmod\", and \"fchmodat\" system calls. + +Add or update the following rules in +the \"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F arch=b32 -S +chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit +-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng + + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To +reload the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"] - tag gid: "V-238268 " - tag rid: "SV-238268r808480_rule " - tag stig_id: "UBTU-20-010152 " - tag fix_id: "F-41437r808479_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] - -#FIX + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206) + tag gid: 'V-238268 ' + tag rid: 'SV-238268r808480_rule ' + tag stig_id: 'UBTU-20-010152 ' + tag fix_id: 'F-41437r808479_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] + + # FIX if os.arch == 'x86_64' describe auditd.syscall('chmod').where { arch == 'b64' } do diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index 0464167..b7bd30f 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -1,93 +1,91 @@ -# encoding: UTF-8 - -control "SV-238271" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238271' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to -use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" -system calls. - -Check the configured audit rules with the following commands: - -$ sudo -auditctl -l | grep 'open\\|truncate\\|creat' - --a always,exit -F arch=b32 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b32 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=-1 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=-1 -k perm_access - -If the command does not return audit rules for the -\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or -the lines are commented out, this is a finding. - -Notes: -For 32-bit architectures, only the -32-bit specific output lines from the commands are required. -The \"-k\" allows for specifying -an arbitrary identifier, and the string after it does not need to match the example output + desc 'check', "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to +use the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" +system calls. + +Check the configured audit rules with the following commands: + +$ sudo +auditctl -l | grep 'open\\|truncate\\|creat' + +-a always,exit -F arch=b32 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b32 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=-1 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=-1 -k perm_access + +If the command does not return audit rules for the +\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or +the lines are commented out, this is a finding. + +Notes: +For 32-bit architectures, only the +32-bit specific output lines from the commands are required. +The \"-k\" allows for specifying +an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", -\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. - -Add -or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a -always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F -exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F -arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES --F auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F -auid>=1000 -F auid!=4294967295 -k perm_access --a always,exit -F arch=b64 -S -creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F -auid>=1000 -F auid!=4294967295 -k perm_access - -Notes: For 32-bit architectures, only -the 32-bit specific entries are required. - -To reload the rules file, issue the following -command: - + desc 'fix', "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\", +\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls. + +Add +or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a +always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F +exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F +arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES +-F auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F +auid>=1000 -F auid!=4294967295 -k perm_access +-a always,exit -F arch=b64 -S +creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F +auid>=1000 -F auid!=4294967295 -k perm_access + +Notes: For 32-bit architectures, only +the 32-bit specific entries are required. + +To reload the rules file, issue the following +command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"] - tag gid: "V-238271 " - tag rid: "SV-238271r808483_rule " - tag stig_id: "UBTU-20-010155 " - tag fix_id: "F-41440r808482_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219) + tag gid: 'V-238271 ' + tag rid: 'SV-238271r808483_rule ' + tag stig_id: 'UBTU-20-010155 ' + tag fix_id: 'F-41440r808482_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - #FIX + # FIX if os.arch == 'x86_64' describe auditd.syscall('open').where { arch == 'b64' } do @@ -111,4 +109,4 @@ its('list.uniq') { should eq ['exit'] } its('exit.uniq') { should include '-EACCES' } end -end \ No newline at end of file +end diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index 504c3b8..dc8e9d3 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -1,53 +1,51 @@ -# encoding: UTF-8 - -control "SV-238277" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238277' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" -command. - -Check the configured audit rules with the following command: - -$ sudo auditctl -l -| grep /usr/bin/sudo - --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F -auid!=-1 -k priv_cmd - -If the command does not return a line that matches the example or the -line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\" +command. + +Check the configured audit rules with the following command: + +$ sudo auditctl -l +| grep /usr/bin/sudo + +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F +auid!=-1 -k priv_cmd + +If the command does not return a line that matches the example or the +line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"sudo\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/sudo -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"sudo\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/sudo -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238277 " - tag rid: "SV-238277r654006_rule " - tag stig_id: "UBTU-20-010161 " - tag fix_id: "F-41446r654005_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238277 ' + tag rid: 'SV-238277r654006_rule ' + tag stig_id: 'UBTU-20-010161 ' + tag fix_id: 'F-41446r654005_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/sudo' @@ -66,9 +64,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 63764a1..7127de7 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238278" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238278' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"sudoedit\" command. - -Check the configured audit rules with the -following commands: - -$ sudo auditctl -l | grep /usr/bin/sudoedit - --a always,exit -F -path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"sudoedit\" command. + +Check the configured audit rules with the +following commands: + +$ sudo auditctl -l | grep /usr/bin/sudoedit + +-a always,exit -F +path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. + + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"sudoedit\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\": - --a always,exit -F path=/usr/bin/sudoedit -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"sudoedit\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\": + +-a always,exit -F path=/usr/bin/sudoedit -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238278 " - tag rid: "SV-238278r654009_rule " - tag stig_id: "UBTU-20-010162 " - tag fix_id: "F-41447r654008_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238278 ' + tag rid: 'SV-238278r654009_rule ' + tag stig_id: 'UBTU-20-010162 ' + tag fix_id: 'F-41447r654008_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/sudoedit' @@ -68,9 +66,9 @@ end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index bc1311c..2267b90 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238279" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238279' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chsh\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep chsh - --a always,exit -F path=/usr/bin/chsh -F perm=x --F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command does not return a line that matches -the example or the line is commented out, this is a finding. - -Notes: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chsh\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep chsh + +-a always,exit -F path=/usr/bin/chsh -F perm=x +-F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that matches +the example or the line is commented out, this is a finding. + +Notes: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chsh\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chsh -F perm=x --F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue the -following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chsh\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chsh -F perm=x +-F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue the +following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238279 " - tag rid: "SV-238279r654012_rule " - tag stig_id: "UBTU-20-010163 " - tag fix_id: "F-41448r654011_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238279 ' + tag rid: 'SV-238279r654012_rule ' + tag stig_id: 'UBTU-20-010163 ' + tag fix_id: 'F-41448r654011_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/chsh' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index b43ecff..9c63fce 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238280" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238280' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"newgrp\" command. - -Check the configured audit rules with the following -commands: - -$ sudo auditctl -l | grep newgrp - --a always,exit -F path=/usr/bin/newgrp -F -perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"newgrp\" command. + +Check the configured audit rules with the following +commands: + +$ sudo auditctl -l | grep newgrp + +-a always,exit -F path=/usr/bin/newgrp -F +perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"newgrp\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/newgrp -F -perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"newgrp\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/newgrp -F +perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238280 " - tag rid: "SV-238280r654015_rule " - tag stig_id: "UBTU-20-010164 " - tag fix_id: "F-41449r654014_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238280 ' + tag rid: 'SV-238280r654015_rule ' + tag stig_id: 'UBTU-20-010164 ' + tag fix_id: 'F-41449r654014_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/newgrp' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index 4ee2d7b..acdfc9f 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238281" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238281' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chcon\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep chcon - --a always,exit -F -path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chcon\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep chcon + +-a always,exit -F +path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chcon\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chcon -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chcon\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chcon -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238281 " - tag rid: "SV-238281r654018_rule " - tag stig_id: "UBTU-20-010165 " - tag fix_id: "F-41450r654017_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238281 ' + tag rid: 'SV-238281r654018_rule ' + tag stig_id: 'UBTU-20-010165 ' + tag fix_id: 'F-41450r654017_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/chcon' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 73f61c1..6fcb11e 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238282" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238282' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"apparmor_parser\" command. - -Check the currently configured audit -rules with the following command: - -$ sudo auditctl -l | grep apparmor_parser - --a -always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k -perm_chng - -If the command does not return a line that matches the example or the line is -commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"apparmor_parser\" command. + +Check the currently configured audit +rules with the following command: + +$ sudo auditctl -l | grep apparmor_parser + +-a +always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k +perm_chng + +If the command does not return a line that matches the example or the line is +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"apparmor_parser\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/sbin/apparmor_parser --F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, -issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"apparmor_parser\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/apparmor_parser +-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, +issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238282 " - tag rid: "SV-238282r654021_rule " - tag stig_id: "UBTU-20-010166 " - tag fix_id: "F-41451r654020_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238282 ' + tag rid: 'SV-238282r654021_rule ' + tag stig_id: 'UBTU-20-010166 ' + tag fix_id: 'F-41451r654020_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/sbin/apparmor_parser' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index 9e213ac..abdfb08 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238283" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238283' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"setfacl\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep setfacl - --a always,exit -F -path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command -does not return a line that matches the example or the line is commented out, this is a finding. - + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"setfacl\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep setfacl + +-a always,exit -F +path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command +does not return a line that matches the example or the line is commented out, this is a finding. -Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"setfacl\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/setfacl -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"setfacl\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/setfacl -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238283 " - tag rid: "SV-238283r654024_rule " - tag stig_id: "UBTU-20-010167 " - tag fix_id: "F-41452r654023_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238283 ' + tag rid: 'SV-238283r654024_rule ' + tag stig_id: 'UBTU-20-010167 ' + tag fix_id: 'F-41452r654023_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/setfacl' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 67995eb..70e3edd 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238284" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238284' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -attempts to use the \"chacl\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo audtctl -l | grep chacl - --a always,exit -F path=/usr/bin/chacl --F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng - -If the command does not return a line -that matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +attempts to use the \"chacl\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo audtctl -l | grep chacl + +-a always,exit -F path=/usr/bin/chacl +-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"chacl\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chacl -F -perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng - -To reload the rules file, issue -the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"chacl\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chacl -F +perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng + +To reload the rules file, issue +the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238284 " - tag rid: "SV-238284r654027_rule " - tag stig_id: "UBTU-20-010168 " - tag fix_id: "F-41453r654026_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238284 ' + tag rid: 'SV-238284r654027_rule ' + tag stig_id: 'UBTU-20-010168 ' + tag fix_id: 'F-41453r654026_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/chacl' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index 50a2e13..d721e70 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 - -control "SV-238285" do - title "The Ubuntu operating system must generate audit records for the use and modification of the +control 'SV-238285' do + title "The Ubuntu operating system must generate audit records for the use and modification of the tallylog file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -modifications to the \"tallylog\" file. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep tallylog - --w /var/log/tallylog -p wa -k -logins - -If the command does not return a line that matches the example or the line is commented -out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +modifications to the \"tallylog\" file. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep tallylog + +-w /var/log/tallylog -p wa -k +logins + +If the command does not return a line that matches the example or the line is commented +out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful -modifications to the \"tallylog\" file. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/tallylog -p wa -k logins - -To reload -the rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"tallylog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/tallylog -p wa -k logins + +To reload +the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] - tag gid: "V-238285 " - tag rid: "SV-238285r654030_rule " - tag stig_id: "UBTU-20-010169 " - tag fix_id: "F-41454r654029_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) + tag gid: 'V-238285 ' + tag rid: 'SV-238285r654030_rule ' + tag stig_id: 'UBTU-20-010169 ' + tag fix_id: 'F-41454r654029_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/var/log/tallylog' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 3f5e4b0..81c511a 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 - -control "SV-238286" do - title "The Ubuntu operating system must generate audit records for the use and modification of +control 'SV-238286' do + title "The Ubuntu operating system must generate audit records for the use and modification of faillog file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful -modifications to the \"faillog\" file. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep faillog - --w /var/log/faillog -p wa -k logins - - -If the command does not return a line that matches the example or the line is commented out, -this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the + desc 'check', "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful +modifications to the \"faillog\" file. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep faillog + +-w /var/log/faillog -p wa -k logins + + +If the command does not return a line that matches the example or the line is commented out, +this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful -modifications to the \"faillog\" file. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/faillog -p wa -k logins - -To reload -the rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"faillog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/faillog -p wa -k logins + +To reload +the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] - tag gid: "V-238286 " - tag rid: "SV-238286r654033_rule " - tag stig_id: "UBTU-20-010170 " - tag fix_id: "F-41455r654032_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) + tag gid: 'V-238286 ' + tag rid: 'SV-238286r654033_rule ' + tag stig_id: 'UBTU-20-010170 ' + tag fix_id: 'F-41455r654032_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/var/log/faillog' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index 949ef26..f959caf 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 - -control "SV-238287" do - title "The Ubuntu operating system must generate audit records for the use and modification of the +control 'SV-238287' do + title "The Ubuntu operating system must generate audit records for the use and modification of the lastlog file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful -modifications to the \"lastlog\" file occur. - -Check the currently configured audit rules -with the following command: - -$ sudo auditctl -l | grep lastlog - --w /var/log/lastlog -p wa -k -logins - -If the command does not return a line that matches the example or the line is commented -out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and + desc 'check', "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful +modifications to the \"lastlog\" file occur. + +Check the currently configured audit rules +with the following command: + +$ sudo auditctl -l | grep lastlog + +-w /var/log/lastlog -p wa -k +logins + +If the command does not return a line that matches the example or the line is commented +out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful -modifications to the \"lastlog\" file. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/lastlog -p wa -k logins - -To reload -the rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful +modifications to the \"lastlog\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/lastlog -p wa -k logins + +To reload +the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"] - tag gid: "V-238287 " - tag rid: "SV-238287r654036_rule " - tag stig_id: "UBTU-20-010171 " - tag fix_id: "F-41456r654035_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218) + tag gid: 'V-238287 ' + tag rid: 'SV-238287r654036_rule ' + tag stig_id: 'UBTU-20-010171 ' + tag fix_id: 'F-41456r654035_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/var/log/lastlog' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 599be77..6f8fddd 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 - -control "SV-238288" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238288' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w passwd - --a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F -auid>=1000 -F auid!=-1 -F key=privileged-passwd - -If the command does not return a line -that matches the example or the line is commented out, this is a finding. - -Note: The \"key\" -allows for specifying an arbitrary identifier, and the string after it does not need to match + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w passwd + +-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F +auid>=1000 -F auid!=-1 -F key=privileged-passwd + +If the command does not return a line +that matches the example or the line is commented out, this is a finding. + +Note: The \"key\" +allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"passwd\" command. - -Add or update the following rule in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/passwd -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"passwd\" command. + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/passwd -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238288 " - tag rid: "SV-238288r833012_rule " - tag stig_id: "UBTU-20-010172 " - tag fix_id: "F-41457r832949_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238288 ' + tag rid: 'SV-238288r833012_rule ' + tag stig_id: 'UBTU-20-010172 ' + tag fix_id: 'F-41457r832949_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/passwd' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - + if audit_lines_exist describe auditd.file(@audit_file) do its('permissions') { should_not cmp [] } @@ -68,9 +66,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index 67324cd..ffd8905 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238289" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238289' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the -\"unix_update\" command. - -Check the currently configured audit rules with the following -command: - -$ sudo auditctl -l | grep -w unix_update - --a always,exit -F -path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the +\"unix_update\" command. + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep -w unix_update + +-a always,exit -F +path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + - -If the command does not return a line that matches the example or the line is commented out, -this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary identifier, and the +If the command does not return a line that matches the example or the line is commented out, +this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"unix_update\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/sbin/unix_update -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"unix_update\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/sbin/unix_update -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238289 " - tag rid: "SV-238289r654042_rule " - tag stig_id: "UBTU-20-010173 " - tag fix_id: "F-41458r654041_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238289 ' + tag rid: 'SV-238289r654042_rule ' + tag stig_id: 'UBTU-20-010173 ' + tag fix_id: 'F-41458r654041_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/sbin/unix_update' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index 3adb2a0..f9fdf7c 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238290" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238290' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w gpasswd - --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-gpasswd - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w gpasswd + +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-gpasswd + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"gpasswd\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/gpasswd -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"gpasswd\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/gpasswd -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238290 " - tag rid: "SV-238290r654045_rule " - tag stig_id: "UBTU-20-010174 " - tag fix_id: "F-41459r654044_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238290 ' + tag rid: 'SV-238290r654045_rule ' + tag stig_id: 'UBTU-20-010174 ' + tag fix_id: 'F-41459r654044_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/gpasswd' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 2992183..8803ac1 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238291" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238291' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w chage - --a always,exit -F path=/usr/bin/chage -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-chage - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w chage + +-a always,exit -F path=/usr/bin/chage -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-chage + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"chage\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/chage -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"chage\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/chage -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238291 " - tag rid: "SV-238291r654048_rule " - tag stig_id: "UBTU-20-010175 " - tag fix_id: "F-41460r654047_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238291 ' + tag rid: 'SV-238291r654048_rule ' + tag stig_id: 'UBTU-20-010175 ' + tag fix_id: 'F-41460r654047_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/chage' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index eae2f3e..017922a 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238292" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238292' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w usermod - --a always,exit -F path=/usr/sbin/usermod -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-usermod - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w usermod + +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-usermod + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"usermod\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/sbin/usermod -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"usermod\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/sbin/usermod -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238292 " - tag rid: "SV-238292r654051_rule " - tag stig_id: "UBTU-20-010176 " - tag fix_id: "F-41461r654050_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238292 ' + tag rid: 'SV-238292r654051_rule ' + tag stig_id: 'UBTU-20-010176 ' + tag fix_id: 'F-41461r654050_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/sbin/usermod' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index 0762bc3..d94acdc 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -1,54 +1,52 @@ -# encoding: UTF-8 - -control "SV-238293" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238293' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" -command. - -Check the currently configured audit rules with the following command: - -$ sudo -auditctl -l | grep -w crontab - --a always,exit -F path=/usr/bin/crontab -F perm=x -F -auid>=1000 -F auid!=-1 -k privileged-crontab - -If the command does not return a line that -matches the example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\" +command. + +Check the currently configured audit rules with the following command: + +$ sudo +auditctl -l | grep -w crontab + +-a always,exit -F path=/usr/bin/crontab -F perm=x -F +auid>=1000 -F auid!=-1 -k privileged-crontab + +If the command does not return a line that +matches the example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"crontab\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F path=/usr/bin/crontab -F -perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab - -To reload the rules -file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"crontab\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F path=/usr/bin/crontab -F +perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab + +To reload the rules +file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238293 " - tag rid: "SV-238293r654054_rule " - tag stig_id: "UBTU-20-010177 " - tag fix_id: "F-41462r654053_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238293 ' + tag rid: 'SV-238293r654054_rule ' + tag stig_id: 'UBTU-20-010177 ' + tag fix_id: 'F-41462r654053_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/bin/crontab' @@ -67,9 +65,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 84dbbb2..53116a8 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238294" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238294' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify that an audit event is generated for any successful/unsuccessful use of the -\"pam_timestamp_check\" command. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep -w pam_timestamp_check - --a always,exit -F -path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k -privileged-pam_timestamp_check - -If the command does not return a line that matches the -example or the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying -an arbitrary identifier, and the string after it does not need to match the example output + desc 'check', "Verify that an audit event is generated for any successful/unsuccessful use of the +\"pam_timestamp_check\" command. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep -w pam_timestamp_check + +-a always,exit -F +path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k +privileged-pam_timestamp_check + +If the command does not return a line that matches the +example or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying +an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful uses -of the \"pam_timestamp_check\" command. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k -privileged-pam_timestamp_check - -To reload the rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful uses +of the \"pam_timestamp_check\" command. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F +path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k +privileged-pam_timestamp_check + +To reload the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag gid: "V-238294 " - tag rid: "SV-238294r654057_rule " - tag stig_id: "UBTU-20-010178 " - tag fix_id: "F-41463r654056_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag gid: 'V-238294 ' + tag rid: 'SV-238294r654057_rule ' + tag stig_id: 'UBTU-20-010178 ' + tag fix_id: 'F-41463r654056_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/usr/sbin/pam_timestamp_check' @@ -69,9 +67,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index 9462b1c..657cf1f 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -1,75 +1,73 @@ -# encoding: UTF-8 - -control "SV-238295" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238295' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. - + desc 'check', "Verify the Ubuntu operating system generates an audit record for any +successful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls. + + +Check the currently configured audit rules with the following command: + +$ sudo auditctl -l +| grep init_module + +-a always,exit -F arch=b32 -S init_module,finit_module -F +auid>=1000 -F auid!=-1 -k module_chng +-a always,exit -F arch=b64 -S +init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng -Check the currently configured audit rules with the following command: - -$ sudo auditctl -l -| grep init_module - --a always,exit -F arch=b32 -S init_module,finit_module -F -auid>=1000 -F auid!=-1 -k module_chng --a always,exit -F arch=b64 -S -init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng - -If the command -does not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines +If the command +does not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines are commented out, this is a finding. - -Notes: -For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -The \"-k\" allows for specifying an + +Notes: +For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"init_module\" and \"finit_module\" syscalls. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S -init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng --a -always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F -auid!=4294967295 -k module_chng - -Notes: For 32-bit architectures, only the 32-bit -specific entries are required. - -To reload the rules file, issue the following command: - -$ + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"init_module\" and \"finit_module\" syscalls. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S +init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng +-a +always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F +auid!=4294967295 -k module_chng + +Notes: For 32-bit architectures, only the 32-bit +specific entries are required. + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"] - tag gid: "V-238295 " - tag rid: "SV-238295r808486_rule " - tag stig_id: "UBTU-20-010179 " - tag fix_id: "F-41464r808485_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216) + tag gid: 'V-238295 ' + tag rid: 'SV-238295r808486_rule ' + tag stig_id: 'UBTU-20-010179 ' + tag fix_id: 'F-41464r808485_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] if os.arch == 'x86_64' describe auditd.syscall('init_module').where { arch == 'b64' } do @@ -81,4 +79,4 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 1e3e0a2..53a6e24 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -1,67 +1,65 @@ -# encoding: UTF-8 - -control "SV-238297" do - title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses +control 'SV-238297' do + title "The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. -Audit records can be -generated from various components within the information system (e.g., module or policy +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates an audit record for any -successful/unsuccessful attempts to use the \"delete_module\" syscall. - -Check the -currently configured audit rules with the following command: - -$ sudo auditctl -l | grep -w -delete_module - --a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 --k module_chng --a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k -module_chng - -If the command does not return a line that matches the example or the line is -commented out, this is a finding. - -Notes: -- For 32-bit architectures, only the 32-bit -specific output lines from the commands are required. -- The \"-k\" allows for specifying an + desc 'check', "Verify the Ubuntu operating system generates an audit record for any +successful/unsuccessful attempts to use the \"delete_module\" syscall. + +Check the +currently configured audit rules with the following command: + +$ sudo auditctl -l | grep -w +delete_module + +-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 +-k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k +module_chng + +If the command does not return a line that matches the example or the line is +commented out, this is a finding. + +Notes: +- For 32-bit architectures, only the 32-bit +specific output lines from the commands are required. +- The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate an audit event for any successful/unsuccessful use of -the \"delete_module\" syscall. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F arch=b32 -S delete_module -F -auid>=1000 -F auid!=4294967295 -k module_chng --a always,exit -F arch=b64 -S -delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng - -Notes: For 32-bit -architectures, only the 32-bit specific entries are required. - -To reload the rules file, -issue the following command: - + desc 'fix', "Configure the audit system to generate an audit event for any successful/unsuccessful use of +the \"delete_module\" syscall. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-a always,exit -F arch=b32 -S delete_module -F +auid>=1000 -F auid!=4294967295 -k module_chng +-a always,exit -F arch=b64 -S +delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng + +Notes: For 32-bit +architectures, only the 32-bit specific entries are required. + +To reload the rules file, +issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000064-GPOS-00033 " - tag satisfies: ["SRG-OS-000477-GPOS-00222"] - tag gid: "V-238297 " - tag rid: "SV-238297r802387_rule " - tag stig_id: "UBTU-20-010181 " - tag fix_id: "F-41466r654065_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000064-GPOS-00033 ' + tag satisfies: ['SRG-OS-000477-GPOS-00222'] + tag gid: 'V-238297 ' + tag rid: 'SV-238297r802387_rule ' + tag stig_id: 'UBTU-20-010181 ' + tag fix_id: 'F-41466r654065_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] if os.arch == 'x86_64' describe auditd.syscall('delete_module').where { arch == 'b64' } do @@ -73,4 +71,4 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 40d4bdd..209b159 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -1,89 +1,87 @@ -# encoding: UTF-8 - -control "SV-238298" do - title "The Ubuntu operating system must produce audit records and reports containing information -to establish when, where, what type, the source, and the outcome for all DoD-defined +control 'SV-238298' do + title "The Ubuntu operating system must produce audit records and reports containing information +to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time. " - desc "Without establishing the when, where, type, source, and outcome of events that occurred, it -would be difficult to establish, correlate, and investigate the events leading up to an -outage or attack. - -Without the capability to generate audit records, it would be difficult -to establish, correlate, and investigate the events relating to an incident or identify -those responsible for one. - -Audit record content that may be necessary to satisfy this -requirement includes, for example, time stamps, source and destination addresses, -user/process identifiers, event descriptions, success/fail indications, filenames -involved, and access control or flow control rules invoked. - -Reconstruction of harmful -events or forensic analysis is not possible if audit records do not contain enough -information. - -Successful incident response and auditing relies on timely, accurate -system information and analysis in order to allow the organization to identify and respond to -potential incidents in a proficient manner. If the operating system does not provide the -ability to centrally review the operating system logs, forensic analysis is negatively -impacted. - -Associating event types with detected events in the Ubuntu operating system -audit logs provides a means of investigating an attack; recognizing resource utilization or + desc "Without establishing the when, where, type, source, and outcome of events that occurred, it +would be difficult to establish, correlate, and investigate the events leading up to an +outage or attack. + +Without the capability to generate audit records, it would be difficult +to establish, correlate, and investigate the events relating to an incident or identify +those responsible for one. + +Audit record content that may be necessary to satisfy this +requirement includes, for example, time stamps, source and destination addresses, +user/process identifiers, event descriptions, success/fail indications, filenames +involved, and access control or flow control rules invoked. + +Reconstruction of harmful +events or forensic analysis is not possible if audit records do not contain enough +information. + +Successful incident response and auditing relies on timely, accurate +system information and analysis in order to allow the organization to identify and respond to +potential incidents in a proficient manner. If the operating system does not provide the +ability to centrally review the operating system logs, forensic analysis is negatively +impacted. + +Associating event types with detected events in the Ubuntu operating system +audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. " - desc "check", "Verify the audit service is configured to produce audit records with the following command: - - -$ dpkg -l | grep auditd - -If the \"auditd\" package is not installed, this is a finding. - - -Verify the audit service is enabled with the following command: - -$ systemctl is-enabled -auditd.service - -If the command above returns \"disabled\", this is a finding. - -Verify the -audit service is properly running and active on the system with the following command: - -$ -systemctl is-active auditd.service -active - -If the command above returns \"inactive\", + desc 'check', "Verify the audit service is configured to produce audit records with the following command: + + +$ dpkg -l | grep auditd + +If the \"auditd\" package is not installed, this is a finding. + + +Verify the audit service is enabled with the following command: + +$ systemctl is-enabled +auditd.service + +If the command above returns \"disabled\", this is a finding. + +Verify the +audit service is properly running and active on the system with the following command: + +$ +systemctl is-active auditd.service +active + +If the command above returns \"inactive\", this is a finding. " - desc "fix", "Configure the audit service to produce audit records containing the information needed to -establish when (date and time) an event occurred. - -Install the audit service (if the audit -service is not already installed) with the following command: - -$ sudo apt-get install -auditd - -Enable the audit service with the following command: - -$ sudo systemctl enable -auditd.service - -To reload the rules file, issue the following command: - -$ sudo augenrules + desc 'fix', "Configure the audit service to produce audit records containing the information needed to +establish when (date and time) an event occurred. + +Install the audit service (if the audit +service is not already installed) with the following command: + +$ sudo apt-get install +auditd + +Enable the audit service with the following command: + +$ sudo systemctl enable +auditd.service + +To reload the rules file, issue the following command: + +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000122-GPOS-00063 " - tag satisfies: ["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"] - tag gid: "V-238298 " - tag rid: "SV-238298r853421_rule " - tag stig_id: "UBTU-20-010182 " - tag fix_id: "F-41467r654068_fix " - tag cci: ["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"] - tag nist: ["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000122-GPOS-00063 ' + tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220) + tag gid: 'V-238298 ' + tag rid: 'SV-238298r853421_rule ' + tag stig_id: 'UBTU-20-010182 ' + tag fix_id: 'F-41467r654068_fix ' + tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914) + tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)'] describe package('auditd') do it { should be_installed } @@ -93,4 +91,4 @@ it { should be_enabled } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index 7b2bb7b..f990ba3 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238299" do - title "The Ubuntu operating system must initiate session audits at system start-up. " - desc "If auditing is enabled late in the start-up process, the actions of some start-up processes -may not be audited. Some audit systems also maintain state information only available if +control 'SV-238299' do + title 'The Ubuntu operating system must initiate session audits at system start-up. ' + desc "If auditing is enabled late in the start-up process, the actions of some start-up processes +may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. " - desc "check", "Verify that the Ubuntu operating system enables auditing at system startup. - -Verify that -the auditing is enabled in grub with the following command: - -$ sudo grep \"^\\s*linux\" -/boot/grub/grub.cfg - -linux /boot/vmlinuz-5.4.0-31-generic -root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 -linux -/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro -recovery nomodeset audit=1 - + desc 'check', "Verify that the Ubuntu operating system enables auditing at system startup. + +Verify that +the auditing is enabled in grub with the following command: + +$ sudo grep \"^\\s*linux\" +/boot/grub/grub.cfg + +linux /boot/vmlinuz-5.4.0-31-generic +root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 +linux +/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro +recovery nomodeset audit=1 + If any linux lines do not contain \"audit=1\", this is a finding. " - desc "fix", "Configure the Ubuntu operating system to produce audit records at system startup. - -Edit the -\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option. - -To -update the grub config file, run: - + desc 'fix', "Configure the Ubuntu operating system to produce audit records at system startup. + +Edit the +\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option. + +To +update the grub config file, run: + $ sudo update-grub " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000254-GPOS-00095 " - tag gid: "V-238299 " - tag rid: "SV-238299r654072_rule " - tag stig_id: "UBTU-20-010198 " - tag fix_id: "F-41468r654071_fix " - tag cci: ["CCI-001464"] - tag nist: ["AU-14 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000254-GPOS-00095 ' + tag gid: 'V-238299 ' + tag rid: 'SV-238299r654072_rule ' + tag stig_id: 'UBTU-20-010198 ' + tag fix_id: 'F-41468r654071_fix ' + tag cci: ['CCI-001464'] + tag nist: ['AU-14 (1)'] grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries grub_entries.each do |entry| describe entry do - it { should include "audit=1" } + it { should include 'audit=1' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index ea84838..8920fe2 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 +control 'SV-238300' do + title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ' + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. -control "SV-238300" do - title "The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user enjoys in order to make access -decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, -vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the Ubuntu operating system configures the audit tools to have a file permission of -0755 or less to prevent unauthorized access by running the following command: - -$ stat -c \"%n -%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd -/sbin/audispd /sbin/augenrules - -/sbin/auditctl 755 -/sbin/aureport 755 + desc 'check', "Verify the Ubuntu operating system configures the audit tools to have a file permission of +0755 or less to prevent unauthorized access by running the following command: + +$ stat -c \"%n +%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd +/sbin/audispd /sbin/augenrules + +/sbin/auditctl 755 +/sbin/aureport 755 -/sbin/ausearch 755 -/sbin/autrace 755 -/sbin/auditd 755 -/sbin/audispd 755 +/sbin/ausearch 755 +/sbin/autrace 755 +/sbin/auditd 755 +/sbin/audispd 755 -/sbin/augenrules 755 - -If any of the audit tools have a mode more permissive than 0755, this +/sbin/augenrules 755 + +If any of the audit tools have a mode more permissive than 0755, this is a finding. " - desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized -access by setting the correct permissive mode using the following command: - -$ sudo chmod -0755 [audit_tool] - -Replace \"[audit_tool]\" with the audit tool that does not have the + desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the correct permissive mode using the following command: + +$ sudo chmod +0755 [audit_tool] + +Replace \"[audit_tool]\" with the audit tool that does not have the correct permissions. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000256-GPOS-00097 " - tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] - tag gid: "V-238300 " - tag rid: "SV-238300r654075_rule " - tag stig_id: "UBTU-20-010199 " - tag fix_id: "F-41469r654074_fix " - tag cci: ["CCI-001493","CCI-001494"] - tag nist: ["AU-9 a","AU-9"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000256-GPOS-00097 ' + tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) + tag gid: 'V-238300 ' + tag rid: 'SV-238300r654075_rule ' + tag stig_id: 'UBTU-20-010199 ' + tag fix_id: 'F-41469r654074_fix ' + tag cci: %w(CCI-001493 CCI-001494) + tag nist: ['AU-9 a', 'AU-9'] audit_tools = input('audit_tools') @@ -62,4 +60,4 @@ it { should_not be_more_permissive_than('0755') } end end -end \ No newline at end of file +end diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index 9ea373b..a7ea0dd 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 +control 'SV-238301' do + title 'The Ubuntu operating system must configure audit tools to be owned by root. ' + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. -control "SV-238301" do - title "The Ubuntu operating system must configure audit tools to be owned by root. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user enjoys in order to make access -decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, -vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent -any unauthorized access. - -Check the ownership by running the following command: - -$ stat -c -\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd -/sbin/audispd /sbin/augenrules - -/sbin/auditctl root -/sbin/aureport root + desc 'check', "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent +any unauthorized access. + +Check the ownership by running the following command: + +$ stat -c +\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd +/sbin/audispd /sbin/augenrules + +/sbin/auditctl root +/sbin/aureport root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root + +/sbin/augenrules root -/sbin/augenrules root - If any of the audit tools are not owned by root, this is a finding. " - desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized -access by setting the file owner as root using the following command: - -$ sudo chown root -[audit_tool] - + desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the file owner as root using the following command: + +$ sudo chown root +[audit_tool] + Replace \"[audit_tool]\" with each audit tool not owned by root. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000256-GPOS-00097 " - tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] - tag gid: "V-238301 " - tag rid: "SV-238301r654078_rule " - tag stig_id: "UBTU-20-010200 " - tag fix_id: "F-41470r654077_fix " - tag cci: ["CCI-001493","CCI-001494"] - tag nist: ["AU-9 a","AU-9"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000256-GPOS-00097 ' + tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) + tag gid: 'V-238301 ' + tag rid: 'SV-238301r654078_rule ' + tag stig_id: 'UBTU-20-010200 ' + tag fix_id: 'F-41470r654077_fix ' + tag cci: %w(CCI-001493 CCI-001494) + tag nist: ['AU-9 a', 'AU-9'] audit_tools = input('audit_tools') @@ -62,4 +60,4 @@ its('owner') { should cmp 'root' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index 2665fea..ece1177 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 +control 'SV-238302' do + title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. ' + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. -control "SV-238302" do - title "The Ubuntu operating system must configure the audit tools to be group-owned by root. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user enjoys in order to make access -decisions regarding the access to audit tools. - -Audit tools include, but are not limited to, -vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user enjoys in order to make access +decisions regarding the access to audit tools. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to -prevent any unauthorized access. - -Check the group ownership by running the following -command: - -$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace -/sbin/auditd /sbin/audispd /sbin/augenrules - -/sbin/auditctl root -/sbin/aureport -root -/sbin/ausearch root -/sbin/autrace root -/sbin/auditd root -/sbin/audispd root + desc 'check', "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to +prevent any unauthorized access. + +Check the group ownership by running the following +command: + +$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace +/sbin/auditd /sbin/audispd /sbin/augenrules + +/sbin/auditctl root +/sbin/aureport +root +/sbin/ausearch root +/sbin/autrace root +/sbin/auditd root +/sbin/audispd root -/sbin/augenrules root - -If any of the audit tools are not group-owned by root, this is a +/sbin/augenrules root + +If any of the audit tools are not group-owned by root, this is a finding. " - desc "fix", "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized -access by setting the file group as root using the following command: - -$ sudo chown :root -[audit_tool] - + desc 'fix', "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized +access by setting the file group as root using the following command: + +$ sudo chown :root +[audit_tool] + Replace \"[audit_tool]\" with each audit tool not group-owned by root. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000256-GPOS-00097 " - tag satisfies: ["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"] - tag gid: "V-238302 " - tag rid: "SV-238302r654081_rule " - tag stig_id: "UBTU-20-010201 " - tag fix_id: "F-41471r654080_fix " - tag cci: ["CCI-001493","CCI-001494"] - tag nist: ["AU-9 a","AU-9"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000256-GPOS-00097 ' + tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098) + tag gid: 'V-238302 ' + tag rid: 'SV-238302r654081_rule ' + tag stig_id: 'UBTU-20-010201 ' + tag fix_id: 'F-41471r654080_fix ' + tag cci: %w(CCI-001493 CCI-001494) + tag nist: ['AU-9 a', 'AU-9'] audit_tools = input('audit_tools') @@ -63,4 +61,4 @@ its('group') { should cmp 'root' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index f8dd436..309e0e2 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -1,75 +1,73 @@ -# encoding: UTF-8 - -control "SV-238303" do - title "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of +control 'SV-238303' do + title "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools. " - desc "Protecting the integrity of the tools used for auditing purposes is a critical step toward -ensuring the integrity of audit information. Audit information includes all information -(e.g., audit records, audit settings, and audit reports) needed to successfully audit -information system activity. - -Audit tools include, but are not limited to, -vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and -report generators. - -It is not uncommon for attackers to replace the audit tools or inject -code into the existing tools with the purpose of providing the capability to hide or erase -system activity from the audit logs. - -To address this risk, audit tools must be -cryptographically signed in order to provide the capability to identify when the audit tools -have been modified, manipulated, or replaced. An example is a checksum hash of the file or + desc "Protecting the integrity of the tools used for auditing purposes is a critical step toward +ensuring the integrity of audit information. Audit information includes all information +(e.g., audit records, audit settings, and audit reports) needed to successfully audit +information system activity. + +Audit tools include, but are not limited to, +vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and +report generators. + +It is not uncommon for attackers to replace the audit tools or inject +code into the existing tools with the purpose of providing the capability to hide or erase +system activity from the audit logs. + +To address this risk, audit tools must be +cryptographically signed in order to provide the capability to identify when the audit tools +have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. " - desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use -cryptographic mechanisms to protect the integrity of audit tools. - -Check the selection -lines that AIDE is configured to add/check with the following command: - -$ egrep -'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf - -/sbin/auditctl -p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - -/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/aureport -p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - -/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/augenrules -p+i+n+u+g+s+b+acl+xattrs+sha512 - -If any of the seven audit tools do not have appropriate + desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use +cryptographic mechanisms to protect the integrity of audit tools. + +Check the selection +lines that AIDE is configured to add/check with the following command: + +$ egrep +'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf + +/sbin/auditctl +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules +p+i+n+u+g+s+b+acl+xattrs+sha512 + +If any of the seven audit tools do not have appropriate selection lines, this is a finding. " - desc "fix", "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the -integrity of the audit tools: - -# Audit Tools -/sbin/auditctl -p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - -/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/aureport -p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - -/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/augenrules + desc 'fix', "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the +integrity of the audit tools: + +# Audit Tools +/sbin/auditctl +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport +p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + +/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000278-GPOS-00108 " - tag gid: "V-238303 " - tag rid: "SV-238303r654084_rule " - tag stig_id: "UBTU-20-010205 " - tag fix_id: "F-41472r654083_fix " - tag cci: ["CCI-001496"] - tag nist: ["AU-9 (3)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000278-GPOS-00108 ' + tag gid: 'V-238303 ' + tag rid: 'SV-238303r654084_rule ' + tag stig_id: 'UBTU-20-010205 ' + tag fix_id: 'F-41472r654083_fix ' + tag cci: ['CCI-001496'] + tag nist: ['AU-9 (3)'] aide_conf = aide_conf input('aide_conf_path') @@ -77,31 +75,31 @@ if aide_conf_exists describe aide_conf.where { selection_line == '/sbin/auditctl' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/auditd' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/ausearch' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/aureport' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/autrace' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/audispd' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end describe aide_conf.where { selection_line == '/sbin/augenrules' } do - its('rules') { should include ['p', 'i', 'n', 'u', 'g', 's', 'b', 'acl', 'xattrs', 'sha512'] } + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } end else describe 'aide.conf file exists' do @@ -109,4 +107,4 @@ it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index ad94783..15173b7 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -1,76 +1,74 @@ -# encoding: UTF-8 - -control "SV-238304" do - title "The Ubuntu operating system must prevent all software from executing at higher privilege -levels than users executing the software and the audit system must be configured to audit the +control 'SV-238304' do + title "The Ubuntu operating system must prevent all software from executing at higher privilege +levels than users executing the software and the audit system must be configured to audit the execution of privileged functions. " - desc "In certain situations, software applications/programs need to execute with elevated -privileges to perform required functions. However, if the privileges required for -execution are at a higher level than the privileges assigned to organizational users -invoking such applications/programs, those users are indirectly provided with greater -privileges than assigned by the organizations. - -Some programs and processes are required -to operate at a higher privilege level and therefore should be excluded from the + desc "In certain situations, software applications/programs need to execute with elevated +privileges to perform required functions. However, if the privileges required for +execution are at a higher level than the privileges assigned to organizational users +invoking such applications/programs, those users are indirectly provided with greater +privileges than assigned by the organizations. + +Some programs and processes are required +to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. " - desc "check", "Verify the Ubuntu operating system audits the execution of privilege functions by auditing -the \"execve\" system call. - -Check the currently configured audit rules with the following -command: - -$ sudo auditctl -l | grep execve - --a always,exit -F arch=b64 -S execve -C -uid!=euid -F euid=0 -F key=execpriv --a always,exit -F arch=b64 -S execve -C gid!=egid -F -egid=0 -F key=execpriv --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F -key=execpriv --a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv - + desc 'check', "Verify the Ubuntu operating system audits the execution of privilege functions by auditing +the \"execve\" system call. + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep execve + +-a always,exit -F arch=b64 -S execve -C +uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F +egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F +key=execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv + -If the command does not return lines that match the example or the lines are commented out, -this is a finding. - -Notes: -- For 32-bit architectures, only the 32-bit specific output -lines from the commands are required. -- The \"-k\" allows for specifying an arbitrary +If the command does not return lines that match the example or the lines are commented out, +this is a finding. + +Notes: +- For 32-bit architectures, only the 32-bit specific output +lines from the commands are required. +- The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to audit the execution of all privileged functions. - + desc 'fix', "Configure the Ubuntu operating system to audit the execution of all privileged functions. + + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: + +-a +always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F +arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S +execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C +gid!=egid -F egid=0 -F key=execpriv + +Notes: For 32-bit architectures, only the 32-bit +specific entries are required. + +To reload the rules file, issue the following command: -Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a -always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv --a always,exit -F -arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv --a always,exit -F arch=b32 -S -execve -C uid!=euid -F euid=0 -F key=execpriv --a always,exit -F arch=b32 -S execve -C -gid!=egid -F egid=0 -F key=execpriv - -Notes: For 32-bit architectures, only the 32-bit -specific entries are required. - -To reload the rules file, issue the following command: - -$ +$ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000326-GPOS-00126 " - tag satisfies: ["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"] - tag gid: "V-238304 " - tag rid: "SV-238304r853422_rule " - tag stig_id: "UBTU-20-010211 " - tag fix_id: "F-41473r654086_fix " - tag cci: ["CCI-002233","CCI-002234"] - tag nist: ["AC-6 (8)","AC-6 (9)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000326-GPOS-00126 ' + tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127) + tag gid: 'V-238304 ' + tag rid: 'SV-238304r853422_rule ' + tag stig_id: 'UBTU-20-010211 ' + tag fix_id: 'F-41473r654086_fix ' + tag cci: %w(CCI-002233 CCI-002234) + tag nist: ['AC-6 (8)', 'AC-6 (9)'] if os.arch == 'x86_64' describe auditd.syscall('execve').where { arch == 'b64' } do @@ -82,4 +80,4 @@ its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index cf98d71..5e35e49 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -1,78 +1,76 @@ -# encoding: UTF-8 - -control "SV-238305" do - title "The Ubuntu operating system must allocate audit record storage capacity to store at least one -weeks' worth of audit records, when audit records are not immediately sent to a central audit +control 'SV-238305' do + title "The Ubuntu operating system must allocate audit record storage capacity to store at least one +weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. " - desc "In order to ensure operating systems have a sufficient storage capacity in which to write the -audit logs, operating systems need to be able to allocate audit record storage capacity. - + desc "In order to ensure operating systems have a sufficient storage capacity in which to write the +audit logs, operating systems need to be able to allocate audit record storage capacity. + -The task of allocating audit record storage capacity is usually performed during initial +The task of allocating audit record storage capacity is usually performed during initial installation of the operating system. " - desc "check", "Verify the Ubuntu operating system allocates audit record storage capacity to store at least -one week's worth of audit records when audit records are not immediately sent to a central -audit record storage facility. - -Determine which partition the audit records are being -written to with the following command: - -$ sudo grep ^log_file /etc/audit/auditd.conf - -log_file = /var/log/audit/audit.log - -Check the size of the partition that audit records -are written to (with the example being \"/var/log/audit/\") with the following command: - -$ -sudo df –h /var/log/audit/ -/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit - -If the audit -records are not written to a partition made specifically for audit records -(\"/var/log/audit\" is a separate partition), determine the amount of space being used by -other files in the partition with the following command: - -$ sudo du –sh [audit_partition] - -1.8G /var/log/audit - -Note: The partition size needed to capture a week's worth of audit -records is based on the activity level of the system and the total storage capacity available. -In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. - -If -the audit record partition is not allocated for sufficient storage capacity, this is a + desc 'check', "Verify the Ubuntu operating system allocates audit record storage capacity to store at least +one week's worth of audit records when audit records are not immediately sent to a central +audit record storage facility. + +Determine which partition the audit records are being +written to with the following command: + +$ sudo grep ^log_file /etc/audit/auditd.conf + +log_file = /var/log/audit/audit.log + +Check the size of the partition that audit records +are written to (with the example being \"/var/log/audit/\") with the following command: + +$ +sudo df –h /var/log/audit/ +/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit + +If the audit +records are not written to a partition made specifically for audit records +(\"/var/log/audit\" is a separate partition), determine the amount of space being used by +other files in the partition with the following command: + +$ sudo du –sh [audit_partition] + +1.8G /var/log/audit + +Note: The partition size needed to capture a week's worth of audit +records is based on the activity level of the system and the total storage capacity available. +In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. + +If +the audit record partition is not allocated for sufficient storage capacity, this is a finding. " - desc "fix", "Allocate enough storage capacity for at least one week's worth of audit records when audit -records are not immediately sent to a central audit record storage facility. - -If audit -records are stored on a partition made specifically for audit records, use the \"parted\" -program to resize the partition with sufficient space to contain one week's worth of audit -records. - -If audit records are not stored on a partition made specifically for audit -records, a new partition with sufficient amount of space will need be to be created. - -Set the -auditd server to point to the mount point where the audit records must be located: - -$ sudo sed --i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@' -/etc/audit/auditd.conf - -where <log mountpoint> is the aforementioned mount + desc 'fix', "Allocate enough storage capacity for at least one week's worth of audit records when audit +records are not immediately sent to a central audit record storage facility. + +If audit +records are stored on a partition made specifically for audit records, use the \"parted\" +program to resize the partition with sufficient space to contain one week's worth of audit +records. + +If audit records are not stored on a partition made specifically for audit +records, a new partition with sufficient amount of space will need be to be created. + +Set the +auditd server to point to the mount point where the audit records must be located: + +$ sudo sed +-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@' +/etc/audit/auditd.conf + +where <log mountpoint> is the aforementioned mount point. " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000341-GPOS-00132 " - tag gid: "V-238305 " - tag rid: "SV-238305r853423_rule " - tag stig_id: "UBTU-20-010215 " - tag fix_id: "F-41474r654089_fix " - tag cci: ["CCI-001849"] - tag nist: ["AU-4"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000341-GPOS-00132 ' + tag gid: 'V-238305 ' + tag rid: 'SV-238305r853423_rule ' + tag stig_id: 'UBTU-20-010215 ' + tag fix_id: 'F-41474r654089_fix ' + tag cci: ['CCI-001849'] + tag nist: ['AU-4'] log_file = auditd_conf.log_file log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? @@ -82,18 +80,18 @@ available_storage = filesystem(log_file_dir).free_kb log_file_size = file(log_file).size standard_audit_log_size = input('standard_audit_log_size') - describe ('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do - subject { log_file_size.to_i } - it { should be <= standard_audit_log_size } + describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do + subject { log_file_size.to_i } + it { should be <= standard_audit_log_size } end - describe ('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do - subject { available_storage.to_i } - it { should be > standard_audit_log_size } + describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do + subject { available_storage.to_i } + it { should be > standard_audit_log_size } end - else - describe ('Audit file/directory for file ' + log_file + ' exists') do + else + describe('Audit file/directory for file ' + log_file + ' exists') do subject { log_dir_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 411ab7d..9d8c697 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -1,89 +1,87 @@ -# encoding: UTF-8 - -control "SV-238306" do - title "The Ubuntu operating system audit event multiplexor must be configured to off-load audit +control 'SV-238306' do + title "The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited. " - desc "Information stored in one location is vulnerable to accidental or incidental deletion or -alteration. - -Off-loading is a common process in information systems with limited audit + desc "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. + +Off-loading is a common process in information systems with limited audit storage capacity. " - desc "check", "Verify the audit event multiplexor is configured to offload audit records to a different -system or storage media from the system being audited. - -Check that audisp-remote plugin is -installed: - -$ sudo dpkg -s audispd-plugins - -If status is \"not installed\", this is a -finding. - -Check that the records are being offloaded to a remote server with the following -command: - -$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf - -active = yes - -If -\"active\" is not set to \"yes\", or the line is commented out, this is a finding. - -Check that -audisp-remote plugin is configured to send audit logs to a different system: - -$ sudo grep -i -^remote_server /etc/audisp/audisp-remote.conf - -remote_server = 192.168.122.126 - -If -the \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid + desc 'check', "Verify the audit event multiplexor is configured to offload audit records to a different +system or storage media from the system being audited. + +Check that audisp-remote plugin is +installed: + +$ sudo dpkg -s audispd-plugins + +If status is \"not installed\", this is a +finding. + +Check that the records are being offloaded to a remote server with the following +command: + +$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf + +active = yes + +If +\"active\" is not set to \"yes\", or the line is commented out, this is a finding. + +Check that +audisp-remote plugin is configured to send audit logs to a different system: + +$ sudo grep -i +^remote_server /etc/audisp/audisp-remote.conf + +remote_server = 192.168.122.126 + +If +the \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding. " - desc "fix", "Configure the audit event multiplexor to offload audit records to a different system or -storage media from the system being audited. - -Install the audisp-remote plugin: - -$ sudo -apt-get install audispd-plugins -y - -Set the audisp-remote plugin as active by editing the -\"/etc/audisp/plugins.d/au-remote.conf\" file: - -$ sudo sed -i -E -'s/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf - -Set the -address of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file: - -$ -sudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/' -/etc/audisp/audisp-remote.conf - -where <remote addr> must be substituted by the -address of the remote server receiving the audit log. - -Make the audit service reload its -configuration files: - + desc 'fix', "Configure the audit event multiplexor to offload audit records to a different system or +storage media from the system being audited. + +Install the audisp-remote plugin: + +$ sudo +apt-get install audispd-plugins -y + +Set the audisp-remote plugin as active by editing the +\"/etc/audisp/plugins.d/au-remote.conf\" file: + +$ sudo sed -i -E +'s/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf + +Set the +address of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file: + +$ +sudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/' +/etc/audisp/audisp-remote.conf + +where <remote addr> must be substituted by the +address of the remote server receiving the audit log. + +Make the audit service reload its +configuration files: + $ sudo systemctl restart auditd.service " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000342-GPOS-00133 " - tag satisfies: ["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"] - tag gid: "V-238306 " - tag rid: "SV-238306r853424_rule " - tag stig_id: "UBTU-20-010216 " - tag fix_id: "F-41475r654092_fix " - tag cci: ["CCI-001851"] - tag nist: ["AU-4 (1)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000342-GPOS-00133 ' + tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224) + tag gid: 'V-238306 ' + tag rid: 'SV-238306r853424_rule ' + tag stig_id: 'UBTU-20-010216 ' + tag fix_id: 'F-41475r654092_fix ' + tag cci: ['CCI-001851'] + tag nist: ['AU-4 (1)'] config_file = input('audispremote_config_file') config_file_exists = file(config_file).exist? - audit_sp_remote_server= input("audit_sp_remote_server") + audit_sp_remote_server = input('audit_sp_remote_server') describe package('audispd-plugins') do it { should be_installed } @@ -95,9 +93,9 @@ its('remote_server') { should cmp audit_sp_remote_server } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 8677c01..2c4fd1d 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -1,76 +1,74 @@ -# encoding: UTF-8 - -control "SV-238307" do - title "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when -allocated audit record storage volume reaches 75% of the repository maximum audit record +control 'SV-238307' do + title "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when +allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. " - desc "If security personnel are not notified immediately when storage volume reaches 75% + desc "If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. " - desc "check", "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated -audit record storage volume reaches 75% of the repository maximum audit record storage -capacity with the following command: - -$ sudo grep ^space_left_action -/etc/audit/auditd.conf - -space_left_action email - -$ sudo grep ^space_left -/etc/audit/auditd.conf - -space_left 250000 - -If the \"space_left\" parameter is missing, -set to blanks, or set to a value less than 25% of the space free in the allocated audit record -storage, this is a finding. - -If the \"space_left_action\" parameter is missing or set to -blanks, this is a finding. - -If the \"space_left_action\" is set to \"syslog\", the system logs -the event but does not generate a notification, and this is a finding. - -If the -\"space_left_action\" is set to \"exec\", the system executes a designated script. If this -script informs the SA of the event, this is not a finding. - -If the \"space_left_action\" is set -to \"email\", check the value of the \"action_mail_acct\" parameter with the following command: - - -$ sudo grep ^action_mail_acct /etc/audit/auditd.conf - -action_mail_acct -root@localhost - -The \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the -\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is -a finding. - + desc 'check', "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated +audit record storage volume reaches 75% of the repository maximum audit record storage +capacity with the following command: + +$ sudo grep ^space_left_action +/etc/audit/auditd.conf + +space_left_action email + +$ sudo grep ^space_left +/etc/audit/auditd.conf + +space_left 250000 + +If the \"space_left\" parameter is missing, +set to blanks, or set to a value less than 25% of the space free in the allocated audit record +storage, this is a finding. + +If the \"space_left_action\" parameter is missing or set to +blanks, this is a finding. + +If the \"space_left_action\" is set to \"syslog\", the system logs +the event but does not generate a notification, and this is a finding. + +If the +\"space_left_action\" is set to \"exec\", the system executes a designated script. If this +script informs the SA of the event, this is not a finding. + +If the \"space_left_action\" is set +to \"email\", check the value of the \"action_mail_acct\" parameter with the following command: + + +$ sudo grep ^action_mail_acct /etc/audit/auditd.conf + +action_mail_acct +root@localhost + +The \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the +\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is +a finding. + Note: If the email address of the System Administrator - is on a remote system, a + is on a remote system, a mail package must be available. " - desc "fix", "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or -\"email\". - -If the \"space_left_action\" parameter is set to \"email\", set the -\"action_mail_acct\" parameter to an email address for the SA and ISSO. - -If the -\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies -the SA and ISSO. - -Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at + desc 'fix', "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or +\"email\". + +If the \"space_left_action\" parameter is set to \"email\", set the +\"action_mail_acct\" parameter to an email address for the SA and ISSO. + +If the +\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies +the SA and ISSO. + +Edit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at least 25% of the repository maximum audit record storage capacity. " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000343-GPOS-00134 " - tag gid: "V-238307 " - tag rid: "SV-238307r853425_rule " - tag stig_id: "UBTU-20-010217 " - tag fix_id: "F-41476r654095_fix " - tag cci: ["CCI-001855"] - tag nist: ["AU-5 (1)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000343-GPOS-00134 ' + tag gid: 'V-238307 ' + tag rid: 'SV-238307r853425_rule ' + tag stig_id: 'UBTU-20-010217 ' + tag fix_id: 'F-41476r654095_fix ' + tag cci: ['CCI-001855'] + tag nist: ['AU-5 (1)'] log_file = auditd_conf.log_file log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? @@ -87,7 +85,7 @@ end describe 'The space_left_action configuration' do subject { auditd_conf.space_left_action } - it { should eq "email" } + it { should eq 'email' } end describe 'The action_mail_acct configuration' do @@ -95,9 +93,9 @@ it { should eq email_to_notify } end else - describe ('Audit file/directory for file ' + log_file + ' exists') do + describe('Audit file/directory for file ' + log_file + ' exists') do subject { log_dir_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index d7c0df4..7a3aaf4 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -1,39 +1,37 @@ -# encoding: UTF-8 - -control "SV-238308" do - title "The Ubuntu operating system must record time stamps for audit records that can be mapped to +control 'SV-238308' do + title "The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). " - desc "If time stamps are not consistently applied and there is no common time reference, it is -difficult to perform forensic analysis. - -Time stamps generated by the operating system -include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a + desc "If time stamps are not consistently applied and there is no common time reference, it is +difficult to perform forensic analysis. + +Time stamps generated by the operating system +include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. " - desc "check", "To verify the time zone is configured to use UTC or GMT, run the following command. - -$ -timedatectl status | grep -i \"time zone\" -Timezone: UTC (UTC, +0000) - -If \"Timezone\" is not + desc 'check', "To verify the time zone is configured to use UTC or GMT, run the following command. + +$ +timedatectl status | grep -i \"time zone\" +Timezone: UTC (UTC, +0000) + +If \"Timezone\" is not set to UTC or GMT, this is a finding. " - desc "fix", "To configure the system time zone to use UTC or GMT, run the following command, replacing -[ZONE] with UTC or GMT: - + desc 'fix', "To configure the system time zone to use UTC or GMT, run the following command, replacing +[ZONE] with UTC or GMT: + $ sudo timedatectl set-timezone [ZONE] " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000359-GPOS-00146 " - tag gid: "V-238308 " - tag rid: "SV-238308r853426_rule " - tag stig_id: "UBTU-20-010230 " - tag fix_id: "F-41477r654098_fix " - tag cci: ["CCI-001890"] - tag nist: ["AU-8 b"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000359-GPOS-00146 ' + tag gid: 'V-238308 ' + tag rid: 'SV-238308r853426_rule ' + tag stig_id: 'UBTU-20-010230 ' + tag fix_id: 'F-41477r654098_fix ' + tag cci: ['CCI-001890'] + tag nist: ['AU-8 b'] time_zone = command('timedatectl status | grep -i "time zone"').stdout.strip describe time_zone do it { should match 'UTC' } end -end \ No newline at end of file +end diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index 199ac30..d99bd4b 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -1,90 +1,88 @@ -# encoding: UTF-8 - -control "SV-238309" do - title "The Ubuntu operating system must generate audit records for privileged activities, +control 'SV-238309' do + title "The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. " - desc "If events associated with nonlocal administrative access or diagnostic sessions are not -logged, a major tool for assessing and investigating attacks would not be available. - -This -requirement addresses auditing-related issues associated with maintenance tools used -specifically for diagnostic and repair actions on organizational information systems. - - -Nonlocal maintenance and diagnostic activities are those activities conducted by -individuals communicating through a network, either an external network (e.g., the -internet) or an internal network. Local maintenance and diagnostic activities are those -activities carried out by individuals physically present at the information system or -information system component and not communicating across a network connection. - -This -requirement applies to hardware/software diagnostic test equipment or tools. This -requirement does not cover hardware/software components that may support information -system maintenance, yet are a part of the system, for example, the software implementing -\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of + desc "If events associated with nonlocal administrative access or diagnostic sessions are not +logged, a major tool for assessing and investigating attacks would not be available. + +This +requirement addresses auditing-related issues associated with maintenance tools used +specifically for diagnostic and repair actions on organizational information systems. + + +Nonlocal maintenance and diagnostic activities are those activities conducted by +individuals communicating through a network, either an external network (e.g., the +internet) or an internal network. Local maintenance and diagnostic activities are those +activities carried out by individuals physically present at the information system or +information system component and not communicating across a network connection. + +This +requirement applies to hardware/software diagnostic test equipment or tools. This +requirement does not cover hardware/software components that may support information +system maintenance, yet are a part of the system, for example, the software implementing +\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch. " - desc "check", "Verify the Ubuntu operating system audits activities performed during nonlocal -maintenance and diagnostic sessions. - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep sudo.log - --w /var/log/sudo.log -p wa -k -maintenance - -If the command does not return lines that match the example or the lines are -commented out, this is a finding. - -Note: The \"-k\" allows for specifying an arbitrary + desc 'check', "Verify the Ubuntu operating system audits activities performed during nonlocal +maintenance and diagnostic sessions. + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep sudo.log + +-w /var/log/sudo.log -p wa -k +maintenance + +If the command does not return lines that match the example or the lines are +commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to audit activities performed during nonlocal -maintenance and diagnostic sessions. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/sudo.log -p wa -k maintenance - -To -reload the rules file, issue the following command: - + desc 'fix', "Configure the Ubuntu operating system to audit activities performed during nonlocal +maintenance and diagnostic sessions. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/sudo.log -p wa -k maintenance + +To +reload the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000392-GPOS-00172 " - tag satisfies: ["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"] - tag gid: "V-238309 " - tag rid: "SV-238309r853427_rule " - tag stig_id: "UBTU-20-010244 " - tag fix_id: "F-41478r654101_fix " - tag cci: ["CCI-000172","CCI-002884"] - tag nist: ["AU-12 c","MA-4 (1) (a)"] - - @audit_file = "/var/log/sudo.log" + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000392-GPOS-00172 ' + tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215) + tag gid: 'V-238309 ' + tag rid: 'SV-238309r853427_rule ' + tag stig_id: 'UBTU-20-010244 ' + tag fix_id: 'F-41478r654101_fix ' + tag cci: %w(CCI-000172 CCI-002884) + tag nist: ['AU-12 c', 'MA-4 (1) (a)'] + + @audit_file = '/var/log/sudo.log' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } end @perms = auditd.file(@audit_file).permissions @perms.each do |perm| describe perm do - it { should include "w" } - it { should include "a" } + it { should include 'w' } + it { should include 'a' } end end else - describe ("Audit line(s) for " + @audit_file + " exist") do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 50b4d16..6683605 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -1,82 +1,80 @@ -# encoding: UTF-8 - -control "SV-238310" do - title "The Ubuntu operating system must generate audit records for any successful/unsuccessful +control 'SV-238310' do + title "The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each -syscall that all programs on the system makes. Therefore, it is very important to only use -syscall rules when absolutely necessary since these affect performance. The more rules, the -bigger the performance hit. The performance is helped, though, by combining syscalls into +The system call rules are loaded into a matching engine that intercepts each +syscall that all programs on the system makes. Therefore, it is very important to only use +syscall rules when absolutely necessary since these affect performance. The more rules, the +bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. " - desc "check", "Verify the Ubuntu operating system generates audit records for any -successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" -system calls. - -Check the currently configured audit rules with the following command: - -$ -sudo auditctl -l | grep 'unlink\\|rename\\|rmdir' - --a always,exit -F arch=b64 -S -unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete --a -always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F -auid!=-1 -F key=delete - -If the command does not return audit rules for the \"unlink\", -\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this -is a finding. - -Notes: -For 32-bit architectures, only the 32-bit specific output lines from -the commands are required. -The \"key\" allows for specifying an arbitrary identifier, and the + desc 'check', "Verify the Ubuntu operating system generates audit records for any +successful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" +system calls. + +Check the currently configured audit rules with the following command: + +$ +sudo auditctl -l | grep 'unlink\\|rename\\|rmdir' + +-a always,exit -F arch=b64 -S +unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete +-a +always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F +auid!=-1 -F key=delete + +If the command does not return audit rules for the \"unlink\", +\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this +is a finding. + +Notes: +For 32-bit architectures, only the 32-bit specific output lines from +the commands are required. +The \"key\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate audit events for any successful/unsuccessful use of -\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. - -Add or update the + desc 'fix', "Configure the audit system to generate audit events for any successful/unsuccessful use of +\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls. + +Add or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file: - --a always,exit -F -arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F -auid!=4294967295 -k delete --a always,exit -F arch=b32 -S -unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F +arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F +auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S +unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete + + +Notes: For 32-bit architectures, only the 32-bit specific entries are required. + +To +reload the rules file, issue the following command: -Notes: For 32-bit architectures, only the 32-bit specific entries are required. - -To -reload the rules file, issue the following command: - $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000468-GPOS-00212 " - tag gid: "V-238310 " - tag rid: "SV-238310r832953_rule " - tag stig_id: "UBTU-20-010267 " - tag fix_id: "F-41479r832952_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000468-GPOS-00212 ' + tag gid: 'V-238310 ' + tag rid: 'SV-238310r832953_rule ' + tag stig_id: 'UBTU-20-010267 ' + tag fix_id: 'F-41479r832952_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - if os.arch == "x86_64" - describe auditd.syscall("unlink").where { arch == "b64" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } + if os.arch == 'x86_64' + describe auditd.syscall('unlink').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall("unlink").where { arch == "b32" } do - its("action.uniq") { should eq ["always"] } - its("list.uniq") { should eq ["exit"] } + describe auditd.syscall('unlink').where { arch == 'b32' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } end -end \ No newline at end of file +end diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index 2f67728..4a74fe5 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 +control 'SV-238315' do + title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ' + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. -control "SV-238315" do - title "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for -user access to the system via the \"/var/log/wtmp\" file. - -Check the currently configured -audit rules with the following command: - -$ sudo auditctl -l | grep '/var/log/wtmp' - --w -/var/log/wtmp -p wa -k logins - -If the command does not return a line matching the example or -the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an + desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/log/wtmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/log/wtmp' + +-w +/var/log/wtmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate audit events showing start and stop times for user -access via the \"/var/log/wtmp\" file. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/wtmp -p wa -k logins - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/log/wtmp\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/wtmp -p wa -k logins + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000472-GPOS-00217 " - tag gid: "V-238315 " - tag rid: "SV-238315r654120_rule " - tag stig_id: "UBTU-20-010277 " - tag fix_id: "F-41484r654119_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000472-GPOS-00217 ' + tag gid: 'V-238315 ' + tag rid: 'SV-238315r654120_rule ' + tag stig_id: 'UBTU-20-010277 ' + tag fix_id: 'F-41484r654119_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - @audit_file = "/var/log/wtmp" + @audit_file = '/var/log/wtmp' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } end @perms = auditd.file(@audit_file).permissions @perms.each do |perm| describe perm do - it { should include "w" } - it { should include "a" } + it { should include 'w' } + it { should include 'a' } end end else - describe ("Audit line(s) for " + @audit_file + " exist") do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index 9a516ec..943789b 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 +control 'SV-238316' do + title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ' + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. -control "SV-238316" do - title "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for -user access to the system via the \"/var/run/wtmp\" file. - -Check the currently configured -audit rules with the following command: - -$ sudo auditctl -l | grep '/var/run/wtmp' - --w -/var/run/wtmp -p wa -k logins - -If the command does not return a line matching the example or -the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an + desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/run/wtmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/run/wtmp' + +-w +/var/run/wtmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate audit events showing start and stop times for user -access via the \"/var/run/wtmp\" file. - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/run/wtmp -p wa -k logins - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/run/wtmp\" file. + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/run/wtmp -p wa -k logins + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000472-GPOS-00217 " - tag gid: "V-238316 " - tag rid: "SV-238316r654123_rule " - tag stig_id: "UBTU-20-010278 " - tag fix_id: "F-41485r654122_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000472-GPOS-00217 ' + tag gid: 'V-238316 ' + tag rid: 'SV-238316r654123_rule ' + tag stig_id: 'UBTU-20-010278 ' + tag fix_id: 'F-41485r654122_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - @audit_file = "/var/run/wtmp" + @audit_file = '/var/run/wtmp' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } end @perms = auditd.file(@audit_file).permissions @perms.each do |perm| describe perm do - it { should include "w" } - it { should include "a" } + it { should include 'w' } + it { should include 'a' } end end else - describe ("Audit line(s) for " + @audit_file + " exist") do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index dedf21a..eb070f0 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 +control 'SV-238317' do + title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. ' + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. -control "SV-238317" do - title "The Ubuntu operating system must generate audit records for the /var/log/btmp file. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system generates audit records showing start and stop times for -user access to the system via the \"/var/log/btmp\" file. - -Check the currently configured -audit rules with the following command: - -$ sudo auditctl -l | grep '/var/log/btmp' - --w -/var/log/btmp -p wa -k logins - -If the command does not return a line matching the example or -the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an + desc 'check', "Verify the Ubuntu operating system generates audit records showing start and stop times for +user access to the system via the \"/var/log/btmp\" file. + +Check the currently configured +audit rules with the following command: + +$ sudo auditctl -l | grep '/var/log/btmp' + +-w +/var/log/btmp -p wa -k logins + +If the command does not return a line matching the example or +the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the audit system to generate audit events showing start and stop times for user -access via the \"/var/log/btmp file\". - -Add or update the following rules in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /var/log/btmp -p wa -k logins - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the audit system to generate audit events showing start and stop times for user +access via the \"/var/log/btmp file\". + +Add or update the following rules in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /var/log/btmp -p wa -k logins + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000472-GPOS-00217 " - tag gid: "V-238317 " - tag rid: "SV-238317r654126_rule " - tag stig_id: "UBTU-20-010279 " - tag fix_id: "F-41486r654125_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000472-GPOS-00217 ' + tag gid: 'V-238317 ' + tag rid: 'SV-238317r654126_rule ' + tag stig_id: 'UBTU-20-010279 ' + tag fix_id: 'F-41486r654125_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - @audit_file = "/var/log/btmp" + @audit_file = '/var/log/btmp' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } end @perms = auditd.file(@audit_file).permissions @perms.each do |perm| describe perm do - it { should include "w" } - it { should include "a" } + it { should include 'w' } + it { should include 'a' } end end else - describe ("Audit line(s) for " + @audit_file + " exist") do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index 9154d79..d328537 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238318" do - title "The Ubuntu operating system must generate audit records when successful/unsuccessful +control 'SV-238318' do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify if the Ubuntu operating system is configured to audit the execution of the module -management program \"modprobe\" by running the following command: - -$ sudo auditctl -l | grep -\"/sbin/modprobe\" - --w /sbin/modprobe -p x -k modules - -If the command does not return a line, -or the line is commented out, this is a finding. - -Note: The \"-k\" allows for specifying an + desc 'check', "Verify if the Ubuntu operating system is configured to audit the execution of the module +management program \"modprobe\" by running the following command: + +$ sudo auditctl -l | grep +\"/sbin/modprobe\" + +-w /sbin/modprobe -p x -k modules + +If the command does not return a line, +or the line is commented out, this is a finding. + +Note: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management -program \"modprobe\". - -Add or update the following rule in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /sbin/modprobe -p x -k modules - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the Ubuntu operating system to audit the execution of the module management +program \"modprobe\". + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /sbin/modprobe -p x -k modules + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000477-GPOS-00222 " - tag gid: "V-238318 " - tag rid: "SV-238318r654129_rule " - tag stig_id: "UBTU-20-010296 " - tag fix_id: "F-41487r654128_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000477-GPOS-00222 ' + tag gid: 'V-238318 ' + tag rid: 'SV-238318r654129_rule ' + tag stig_id: 'UBTU-20-010296 ' + tag fix_id: 'F-41487r654128_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/sbin/modprobe' @@ -62,9 +60,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index a461d92..316e760 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -1,52 +1,50 @@ -# encoding: UTF-8 - -control "SV-238319" do - title "The Ubuntu operating system must generate audit records when successful/unsuccessful +control 'SV-238319' do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the module -management program \"kmod\". - -Check the currently configured audit rules with the following -command: - -$ sudo auditctl -l | grep kmod - --w /bin/kmod -p x -k module - -If the command does not -return a line, or the line is commented out, this is a finding. - -Note: The \"-k\" allows for -specifying an arbitrary identifier, and the string after it does not need to match the example + desc 'check', "Verify the Ubuntu operating system is configured to audit the execution of the module +management program \"kmod\". + +Check the currently configured audit rules with the following +command: + +$ sudo auditctl -l | grep kmod + +-w /bin/kmod -p x -k module + +If the command does not +return a line, or the line is commented out, this is a finding. + +Note: The \"-k\" allows for +specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to audit the execution of the module management -program \"kmod\". - -Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" -file: - --w /bin/kmod -p x -k modules - -To reload the rules file, issue the following command: - + desc 'fix', "Configure the Ubuntu operating system to audit the execution of the module management +program \"kmod\". + +Add or update the following rule in the \"/etc/audit/rules.d/stig.rules\" +file: + +-w /bin/kmod -p x -k modules + +To reload the rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000477-GPOS-00222 " - tag gid: "V-238319 " - tag rid: "SV-238319r654132_rule " - tag stig_id: "UBTU-20-010297 " - tag fix_id: "F-41488r654131_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000477-GPOS-00222 ' + tag gid: 'V-238319 ' + tag rid: 'SV-238319r654132_rule ' + tag stig_id: 'UBTU-20-010297 ' + tag fix_id: 'F-41488r654131_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] @audit_file = '/bin/kmod' @@ -65,9 +63,9 @@ end end else - describe ('Audit line(s) for ' + @audit_file + ' exist') do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index a328c3f..ff54ef6 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 - -control "SV-238320" do - title "The Ubuntu operating system must generate audit records when successful/unsuccessful +control 'SV-238320' do + title "The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command. " - desc "Without generating audit records that are specific to the security and mission needs of the -organization, it would be difficult to establish, correlate, and investigate the events -relating to an incident or identify those responsible for one. - -Audit records can be -generated from various components within the information system (e.g., module or policy + desc "Without generating audit records that are specific to the security and mission needs of the +organization, it would be difficult to establish, correlate, and investigate the events +relating to an incident or identify those responsible for one. + +Audit records can be +generated from various components within the information system (e.g., module or policy filter). " - desc "check", "Verify the Ubuntu operating system is configured to audit the execution of the partition -management program \"fdisk\". - -Check the currently configured audit rules with the -following command: - -$ sudo auditctl -l | grep fdisk - --w /usr/sbin/fdisk -p x -k fdisk - -If -the command does not return a line, or the line is commented out, this is a finding. - -Note: The -\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to + desc 'check', "Verify the Ubuntu operating system is configured to audit the execution of the partition +management program \"fdisk\". + +Check the currently configured audit rules with the +following command: + +$ sudo auditctl -l | grep fdisk + +-w /usr/sbin/fdisk -p x -k fdisk + +If +the command does not return a line, or the line is commented out, this is a finding. + +Note: The +\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. " - desc "fix", "Configure the Ubuntu operating system to audit the execution of the partition management -program \"fdisk\". - -Add or update the following rule in the -\"/etc/audit/rules.d/stig.rules\" file: - --w /usr/sbin/fdisk -p x -k fdisk - -To reload the -rules file, issue the following command: - + desc 'fix', "Configure the Ubuntu operating system to audit the execution of the partition management +program \"fdisk\". + +Add or update the following rule in the +\"/etc/audit/rules.d/stig.rules\" file: + +-w /usr/sbin/fdisk -p x -k fdisk + +To reload the +rules file, issue the following command: + $ sudo augenrules --load " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000477-GPOS-00222 " - tag gid: "V-238320 " - tag rid: "SV-238320r832956_rule " - tag stig_id: "UBTU-20-010298 " - tag fix_id: "F-41489r832955_fix " - tag cci: ["CCI-000172"] - tag nist: ["AU-12 c"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000477-GPOS-00222 ' + tag gid: 'V-238320 ' + tag rid: 'SV-238320r832956_rule ' + tag stig_id: 'UBTU-20-010298 ' + tag fix_id: 'F-41489r832955_fix ' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] - @audit_file = "/sbin/fdisk" + @audit_file = '/sbin/fdisk' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist describe auditd.file(@audit_file) do - its("permissions") { should_not cmp [] } - its("action") { should_not include "never" } + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } end @perms = auditd.file(@audit_file).permissions @perms.each do |perm| describe perm do - it { should include "x" } + it { should include 'x' } end end else - describe ("Audit line(s) for " + @audit_file + " exist") do + describe('Audit line(s) for ' + @audit_file + ' exist') do subject { audit_lines_exist } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 65313a8..4c1d193 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -1,44 +1,42 @@ -# encoding: UTF-8 - -control "SV-238321" do - title "The Ubuntu operating system must have a crontab script running weekly to offload audit events +control 'SV-238321' do + title "The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems. " - desc "Information stored in one location is vulnerable to accidental or incidental deletion or -alteration. - -Offloading is a common process in information systems with limited audit + desc "Information stored in one location is vulnerable to accidental or incidental deletion or +alteration. + +Offloading is a common process in information systems with limited audit storage capacity. " - desc "check", "Note: If this is an interconnected system, this is Not Applicable. - -Verify there is a script -that offloads audit data and that script runs weekly. - -Check if there is a script in the -\"/etc/cron.weekly\" directory that offloads audit data: - -# sudo ls /etc/cron.weekly - - -audit-offload - -Check if the script inside the file does offloading of audit logs to -external media. - -If the script file does not exist or does not offload audit logs, this is a + desc 'check', "Note: If this is an interconnected system, this is Not Applicable. + +Verify there is a script +that offloads audit data and that script runs weekly. + +Check if there is a script in the +\"/etc/cron.weekly\" directory that offloads audit data: + +# sudo ls /etc/cron.weekly + + +audit-offload + +Check if the script inside the file does offloading of audit logs to +external media. + +If the script file does not exist or does not offload audit logs, this is a finding. " - desc "fix", "Create a script that offloads audit logs to external media and runs weekly. - -The script must + desc 'fix', "Create a script that offloads audit logs to external media and runs weekly. + +The script must be located in the \"/etc/cron.weekly\" directory. " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000479-GPOS-00224 " - tag gid: "V-238321 " - tag rid: "SV-238321r853428_rule " - tag stig_id: "UBTU-20-010300 " - tag fix_id: "F-41490r654137_fix " - tag cci: ["CCI-001851"] - tag nist: ["AU-4 (1)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000479-GPOS-00224 ' + tag gid: 'V-238321 ' + tag rid: 'SV-238321r853428_rule ' + tag stig_id: 'UBTU-20-010300 ' + tag fix_id: 'F-41490r654137_fix ' + tag cci: ['CCI-001851'] + tag nist: ['AU-4 (1)'] cron_file = input('auditoffload_config_file') cron_file_exists = file(cron_file).exist? @@ -53,4 +51,4 @@ it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb index b2fdb6b..be74576 100644 --- a/controls/SV-238323.rb +++ b/controls/SV-238323.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238323" do - title "The Ubuntu operating system must limit the number of concurrent sessions to ten for all +control 'SV-238323' do + title "The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. " - desc "The Ubuntu operating system management includes the ability to control the number of users -and user sessions that utilize an operating system. Limiting the number of allowed users and -sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement -addresses concurrent sessions for information system accounts and does not address -concurrent sessions by single users via multiple system accounts. The maximum number of -concurrent sessions should be defined based upon mission needs and the operational + desc "The Ubuntu operating system management includes the ability to control the number of users +and user sessions that utilize an operating system. Limiting the number of allowed users and +sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement +addresses concurrent sessions for information system accounts and does not address +concurrent sessions by single users via multiple system accounts. The maximum number of +concurrent sessions should be defined based upon mission needs and the operational environment for each system. " - desc "check", "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all -accounts and/or account types by running the following command: - -$ grep maxlogins -/etc/security/limits.conf | grep -v '^* hard maxlogins' - -The result must contain the -following line: - -* hard maxlogins 10 - -If the \"maxlogins\" item is missing or the value is not + desc 'check', "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all +accounts and/or account types by running the following command: + +$ grep maxlogins +/etc/security/limits.conf | grep -v '^* hard maxlogins' + +The result must contain the +following line: + +* hard maxlogins 10 + +If the \"maxlogins\" item is missing or the value is not set to 10 or less or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all -accounts and/or account types. - -Add the following line to the top of the -\"/etc/security/limits.conf\" file: - + desc 'fix', "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all +accounts and/or account types. + +Add the following line to the top of the +\"/etc/security/limits.conf\" file: + * hard maxlogins 10 " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000027-GPOS-00008 " - tag gid: "V-238323 " - tag rid: "SV-238323r654144_rule " - tag stig_id: "UBTU-20-010400 " - tag fix_id: "F-41492r654143_fix " - tag cci: ["CCI-000054"] - tag nist: ["AC-10"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000027-GPOS-00008 ' + tag gid: 'V-238323 ' + tag rid: 'SV-238323r654144_rule ' + tag stig_id: 'UBTU-20-010400 ' + tag fix_id: 'F-41492r654143_fix ' + tag cci: ['CCI-000054'] + tag nist: ['AC-10'] describe limits_conf do its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] } end -end \ No newline at end of file +end diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index 4f5c4c1..96d72e8 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -1,59 +1,57 @@ -# encoding: UTF-8 +control 'SV-238324' do + title 'The Ubuntu operating system must monitor remote access methods. ' + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated monitoring capabilities, increase risk and make +remote user access management difficult at best. -control "SV-238324" do - title "The Ubuntu operating system must monitor remote access methods. " - desc "Remote access services, such as those providing remote access to network devices and -information systems, which lack automated monitoring capabilities, increase risk and make -remote user access management difficult at best. - -Remote access is access to DoD nonpublic -information systems by an authorized user (or an information system) communicating through -an external, non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - -Automated monitoring of remote access -sessions allows organizations to detect cyber attacks and also ensure ongoing compliance -with remote access policies by auditing connection activities of remote access -capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Automated monitoring of remote access +sessions allows organizations to detect cyber attacks and also ensure ongoing compliance +with remote access policies by auditing connection activities of remote access +capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). " - desc "check", "Verify that the Ubuntu operating system monitors all remote access methods. - -Check that -remote access methods are being logged by running the following command: - -$ grep -E -r -'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.* + desc 'check', "Verify that the Ubuntu operating system monitors all remote access methods. + +Check that +remote access methods are being logged by running the following command: + +$ grep -E -r +'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.* + +/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log -/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log +/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages -/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages - -If \"auth.*\", -\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config +If \"auth.*\", +\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config files, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to monitor all remote access methods by adding the -following lines to the \"/etc/rsyslog.d/50-default.conf\" file: - -auth.*,authpriv.* -/var/log/secure -daemon.* /var/log/messages - -For the changes to take effect, restart the -\"rsyslog\" service with the following command: - + desc 'fix', "Configure the Ubuntu operating system to monitor all remote access methods by adding the +following lines to the \"/etc/rsyslog.d/50-default.conf\" file: + +auth.*,authpriv.* +/var/log/secure +daemon.* /var/log/messages + +For the changes to take effect, restart the +\"rsyslog\" service with the following command: + $ sudo systemctl restart rsyslog.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000032-GPOS-00013 " - tag gid: "V-238324 " - tag rid: "SV-238324r832959_rule " - tag stig_id: "UBTU-20-010403 " - tag fix_id: "F-41493r832958_fix " - tag cci: ["CCI-000067"] - tag nist: ["AC-17 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000032-GPOS-00013 ' + tag gid: 'V-238324 ' + tag rid: 'SV-238324r832959_rule ' + tag stig_id: 'UBTU-20-010403 ' + tag fix_id: 'F-41493r832958_fix ' + tag cci: ['CCI-000067'] + tag nist: ['AC-17 (1)'] options = { - assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/ + assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/, } config_file = input('rsyslog_config_file') auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*'] @@ -66,4 +64,4 @@ it { should_not be_nil } it { should_not be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 2727e23..7b83fd1 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -1,42 +1,40 @@ -# encoding: UTF-8 - -control "SV-238325" do - title "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved +control 'SV-238325' do + title "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. " - desc "Passwords need to be protected at all times, and encryption is the standard method for -protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear + desc "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. " - desc "check", "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS -140-2 approved cryptographic hashing algorithm. - -Check the hashing algorithm that is -being used to hash passwords with the following command: - -$ cat /etc/login.defs | grep -i -encrypt_method - -ENCRYPT_METHOD SHA512 - -If \"ENCRYPT_METHOD\" does not equal SHA512 or + desc 'check', "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS +140-2 approved cryptographic hashing algorithm. + +Check the hashing algorithm that is +being used to hash passwords with the following command: + +$ cat /etc/login.defs | grep -i +encrypt_method + +ENCRYPT_METHOD SHA512 + +If \"ENCRYPT_METHOD\" does not equal SHA512 or greater, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to encrypt all stored passwords. - -Edit/modify the -following line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512: - + desc 'fix', "Configure the Ubuntu operating system to encrypt all stored passwords. + +Edit/modify the +following line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512: + ENCRYPT_METHOD SHA512 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000120-GPOS-00061 " - tag gid: "V-238325 " - tag rid: "SV-238325r654150_rule " - tag stig_id: "UBTU-20-010404 " - tag fix_id: "F-41494r654149_fix " - tag cci: ["CCI-000803"] - tag nist: ["IA-7"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000120-GPOS-00061 ' + tag gid: 'V-238325 ' + tag rid: 'SV-238325r654150_rule ' + tag stig_id: 'UBTU-20-010404 ' + tag fix_id: 'F-41494r654149_fix ' + tag cci: ['CCI-000803'] + tag nist: ['IA-7'] describe login_defs do its('ENCRYPT_METHOD') { should eq 'SHA512' } end -end \ No newline at end of file +end diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb index 8e3dfc2..cf82c33 100644 --- a/controls/SV-238326.rb +++ b/controls/SV-238326.rb @@ -1,31 +1,29 @@ -# encoding: UTF-8 - -control "SV-238326" do - title "The Ubuntu operating system must not have the telnet package installed. " - desc "Passwords need to be protected at all times, and encryption is the standard method for -protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear +control 'SV-238326' do + title 'The Ubuntu operating system must not have the telnet package installed. ' + desc "Passwords need to be protected at all times, and encryption is the standard method for +protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. " - desc "check", "Verify that the telnet package is not installed on the Ubuntu operating system by running the -following command: - -$ dpkg -l | grep telnetd - + desc 'check', "Verify that the telnet package is not installed on the Ubuntu operating system by running the +following command: + +$ dpkg -l | grep telnetd + If the package is installed, this is a finding. " - desc "fix", "Remove the telnet package from the Ubuntu operating system by running the following command: + desc 'fix', "Remove the telnet package from the Ubuntu operating system by running the following command: + - $ sudo apt-get remove telnetd " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000074-GPOS-00042 " - tag gid: "V-238326 " - tag rid: "SV-238326r654153_rule " - tag stig_id: "UBTU-20-010405 " - tag fix_id: "F-41495r654152_fix " - tag cci: ["CCI-000197"] - tag nist: ["IA-5 (1) (c)"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000074-GPOS-00042 ' + tag gid: 'V-238326 ' + tag rid: 'SV-238326r654153_rule ' + tag stig_id: 'UBTU-20-010405 ' + tag fix_id: 'F-41495r654152_fix ' + tag cci: ['CCI-000197'] + tag nist: ['IA-5 (1) (c)'] describe package('telnetd') do it { should_not be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb index b142030..8d603ce 100644 --- a/controls/SV-238327.rb +++ b/controls/SV-238327.rb @@ -1,43 +1,41 @@ -# encoding: UTF-8 +control 'SV-238327' do + title 'The Ubuntu operating system must not have the rsh-server package installed. ' + desc "It is detrimental for operating systems to provide, or install by default, functionality +exceeding requirements or mission objectives. These unnecessary capabilities or services +are often overlooked and therefore may remain unsecured. They increase the risk to the +platform by providing additional attack vectors. -control "SV-238327" do - title "The Ubuntu operating system must not have the rsh-server package installed. " - desc "It is detrimental for operating systems to provide, or install by default, functionality -exceeding requirements or mission objectives. These unnecessary capabilities or services -are often overlooked and therefore may remain unsecured. They increase the risk to the -platform by providing additional attack vectors. - -Operating systems are capable of -providing a wide variety of functions and services. Some of the functions and services, -provided by default, may not be necessary to support essential organizational operations -(e.g., key missions, functions). - -Examples of non-essential capabilities include, but -are not limited to, games, software packages, tools, and demonstration software, not -related to requirements or providing a wide array of functionality not required for every +Operating systems are capable of +providing a wide variety of functions and services. Some of the functions and services, +provided by default, may not be necessary to support essential organizational operations +(e.g., key missions, functions). + +Examples of non-essential capabilities include, but +are not limited to, games, software packages, tools, and demonstration software, not +related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. " - desc "check", "Verify the rsh-server package is installed with the following command: - -$ dpkg -l | grep -rsh-server - + desc 'check', "Verify the rsh-server package is installed with the following command: + +$ dpkg -l | grep +rsh-server + If the rsh-server package is installed, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to disable non-essential capabilities by removing -the rsh-server package from the system with the following command: - -$ sudo apt-get remove + desc 'fix', "Configure the Ubuntu operating system to disable non-essential capabilities by removing +the rsh-server package from the system with the following command: + +$ sudo apt-get remove rsh-server " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000095-GPOS-00049 " - tag gid: "V-238327 " - tag rid: "SV-238327r654156_rule " - tag stig_id: "UBTU-20-010406 " - tag fix_id: "F-41496r654155_fix " - tag cci: ["CCI-000381"] - tag nist: ["CM-7 a"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000095-GPOS-00049 ' + tag gid: 'V-238327 ' + tag rid: 'SV-238327r654156_rule ' + tag stig_id: 'UBTU-20-010406 ' + tag fix_id: 'F-41496r654155_fix ' + tag cci: ['CCI-000381'] + tag nist: ['CM-7 a'] describe package('rsh-server') do it { should_not be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index 7c75714..dd45d0e 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -1,84 +1,82 @@ -# encoding: UTF-8 - -control "SV-238328" do - title "The Ubuntu operating system must be configured to prohibit or restrict the use of functions, -ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability +control 'SV-238328' do + title "The Ubuntu operating system must be configured to prohibit or restrict the use of functions, +ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. " - desc "In order to prevent unauthorized connection of devices, unauthorized transfer of -information, or unauthorized tunneling (i.e., embedding of data types within data types), -organizations must disable or restrict unused or unnecessary physical and logical -ports/protocols on information systems. - -Operating systems are capable of providing a -wide variety of functions and services. Some of the functions and services provided by -default may not be necessary to support essential organizational operations. -Additionally, it is sometimes convenient to provide multiple services from a single -component (e.g., VPN and IPS); however, doing so increases risk over limiting the services -provided by any one component. - -To support the requirements and principles of least -functionality, the operating system must support the organizational requirements, -providing only essential capabilities and limiting the use of ports, protocols, and/or -services to only those required, authorized, and approved to conduct official business or to + desc "In order to prevent unauthorized connection of devices, unauthorized transfer of +information, or unauthorized tunneling (i.e., embedding of data types within data types), +organizations must disable or restrict unused or unnecessary physical and logical +ports/protocols on information systems. + +Operating systems are capable of providing a +wide variety of functions and services. Some of the functions and services provided by +default may not be necessary to support essential organizational operations. +Additionally, it is sometimes convenient to provide multiple services from a single +component (e.g., VPN and IPS); however, doing so increases risk over limiting the services +provided by any one component. + +To support the requirements and principles of least +functionality, the operating system must support the organizational requirements, +providing only essential capabilities and limiting the use of ports, protocols, and/or +services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. " - desc "check", "Verify the Ubuntu operating system is configured to prohibit or restrict the use of -functions, ports, protocols, and/or services as defined in the Ports, Protocols, and -Services Management (PPSM) Category Assignments List (CAL) and vulnerability -assessments. - -Check the firewall configuration for any unnecessary or prohibited -functions, ports, protocols, and/or services by running the following command: - -$ sudo ufw -show raw - -Chain OUTPUT (policy ACCEPT) -target prot opt sources destination -Chain INPUT -(policy ACCEPT 1 packets, 40 bytes) - pkts bytes target prot opt in out source destination - - -Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) - pkts bytes target prot opt in out source -destination - -Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) - pkts bytes target prot opt in -out source destination - + desc 'check', "Verify the Ubuntu operating system is configured to prohibit or restrict the use of +functions, ports, protocols, and/or services as defined in the Ports, Protocols, and +Services Management (PPSM) Category Assignments List (CAL) and vulnerability +assessments. + +Check the firewall configuration for any unnecessary or prohibited +functions, ports, protocols, and/or services by running the following command: + +$ sudo ufw +show raw + +Chain OUTPUT (policy ACCEPT) +target prot opt sources destination +Chain INPUT +(policy ACCEPT 1 packets, 40 bytes) + pkts bytes target prot opt in out source destination + + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source +destination + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in +out source destination + Ask the System Administrator - for the site or program PPSM CLSA. -Verify the services allowed by the firewall match the PPSM CLSA. - -If there are any additional -ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. - -If -there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a + for the site or program PPSM CLSA. +Verify the services allowed by the firewall match the PPSM CLSA. + +If there are any additional +ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. + +If +there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding. " - desc "fix", "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: - - -$ sudo ufw allow <direction> <port/protocol/service> - -where the -direction is \"in\" or \"out\" and the port is the one corresponding to the protocol or service -allowed. - -To deny access to ports, protocols, or services, use: - -$ sudo ufw deny + desc 'fix', "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: + + +$ sudo ufw allow <direction> <port/protocol/service> + +where the +direction is \"in\" or \"out\" and the port is the one corresponding to the protocol or service +allowed. + +To deny access to ports, protocols, or services, use: + +$ sudo ufw deny <direction> <port/protocol/service> " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000096-GPOS-00050 " - tag gid: "V-238328 " - tag rid: "SV-238328r654159_rule " - tag stig_id: "UBTU-20-010407 " - tag fix_id: "F-41497r654158_fix " - tag cci: ["CCI-000382"] - tag nist: ["CM-7 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000096-GPOS-00050 ' + tag gid: 'V-238328 ' + tag rid: 'SV-238328r654159_rule ' + tag stig_id: 'UBTU-20-010407 ' + tag fix_id: 'F-41497r654158_fix ' + tag cci: ['CCI-000382'] + tag nist: ['CM-7 b'] ufw_status = command('ufw status').stdout.strip.lines.first value = ufw_status.split(':')[1].strip @@ -90,4 +88,4 @@ describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' end -end \ No newline at end of file +end diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 03ff33a..346a80c 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 - -control "SV-238329" do - title "The Ubuntu operating system must prevent direct login into the root account. " - desc "To assure individual accountability and prevent unauthorized access, organizational -users must be individually identified and authenticated. - -A group authenticator is a -generic account used by multiple individuals. Use of a group authenticator alone does not -uniquely identify individual users. Examples of the group authenticator is the UNIX OS -\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" -account. - -For example, the UNIX and Windows operating systems offer a 'switch user' -capability allowing users to authenticate with their individual credentials and, when -needed, 'switch' to the administrator role. This method provides for unique individual -authentication prior to using a group authenticator. - -Users (and any processes acting on -behalf of users) need to be uniquely identified and authenticated for all accesses other than -those accesses explicitly identified and documented by the organization, which outlines -specific user actions that can be performed on the operating system without identification -or authentication. - -Requiring individuals to be authenticated with an individual -authenticator prior to using a group authenticator allows for traceability of actions, as -well as adding an additional level of protection of the actions that can be taken with group +control 'SV-238329' do + title 'The Ubuntu operating system must prevent direct login into the root account. ' + desc "To assure individual accountability and prevent unauthorized access, organizational +users must be individually identified and authenticated. + +A group authenticator is a +generic account used by multiple individuals. Use of a group authenticator alone does not +uniquely identify individual users. Examples of the group authenticator is the UNIX OS +\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" +account. + +For example, the UNIX and Windows operating systems offer a 'switch user' +capability allowing users to authenticate with their individual credentials and, when +needed, 'switch' to the administrator role. This method provides for unique individual +authentication prior to using a group authenticator. + +Users (and any processes acting on +behalf of users) need to be uniquely identified and authenticated for all accesses other than +those accesses explicitly identified and documented by the organization, which outlines +specific user actions that can be performed on the operating system without identification +or authentication. + +Requiring individuals to be authenticated with an individual +authenticator prior to using a group authenticator allows for traceability of actions, as +well as adding an additional level of protection of the actions that can be taken with group account knowledge. " - desc "check", "Verify the Ubuntu operating system prevents direct logins to the root account with the -following command: - -$ sudo passwd -S root - -root L 04/23/2020 0 99999 7 -1 - -If the output does + desc 'check', "Verify the Ubuntu operating system prevents direct logins to the root account with the +following command: + +$ sudo passwd -S root + +root L 04/23/2020 0 99999 7 -1 + +If the output does not contain \"L\" in the second field to indicate the account is locked, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to prevent direct logins to the root account by -performing the following operations: - + desc 'fix', "Configure the Ubuntu operating system to prevent direct logins to the root account by +performing the following operations: + $ sudo passwd -l root " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000109-GPOS-00056 " - tag gid: "V-238329 " - tag rid: "SV-238329r654162_rule " - tag stig_id: "UBTU-20-010408 " - tag fix_id: "F-41498r654161_fix " - tag cci: ["CCI-000770"] - tag nist: ["IA-2 (5)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000109-GPOS-00056 ' + tag gid: 'V-238329 ' + tag rid: 'SV-238329r654162_rule ' + tag stig_id: 'UBTU-20-010408 ' + tag fix_id: 'F-41498r654161_fix ' + tag cci: ['CCI-000770'] + tag nist: ['IA-2 (5)'] describe.one do describe shadow.where(user: 'root') do its('passwords.uniq.first') { should eq '!*' } end end - describe command("passwd -S root").stdout.strip do + describe command('passwd -S root').stdout.strip do it { should match /^root\s+L\s+.*$/ } end -end \ No newline at end of file +end diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index e4f9a6b..e7673b5 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238330" do - title "The Ubuntu operating system must disable account identifiers (individuals, groups, roles, +control 'SV-238330' do + title "The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. " - desc "Inactive identifiers pose a risk to systems and applications because attackers may exploit -an inactive identifier and potentially obtain undetected access to the system. Owners of -inactive accounts will not notice if unauthorized access to their user account has been -obtained. - -Operating systems need to track periods of inactivity and disable application + desc "Inactive identifiers pose a risk to systems and applications because attackers may exploit +an inactive identifier and potentially obtain undetected access to the system. Owners of +inactive accounts will not notice if unauthorized access to their user account has been +obtained. + +Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity. " - desc "check", "Verify the account identifiers (individuals, groups, roles, and devices) are disabled -after 35 days of inactivity with the following command: - -Check the account inactivity value -by performing the following command: - -$ sudo grep INACTIVE /etc/default/useradd - - -INACTIVE=35 - -If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, + desc 'check', "Verify the account identifiers (individuals, groups, roles, and devices) are disabled +after 35 days of inactivity with the following command: + +Check the account inactivity value +by performing the following command: + +$ sudo grep INACTIVE /etc/default/useradd + + +INACTIVE=35 + +If \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to disable account identifiers after 35 days of -inactivity after the password expiration. - -Run the following command to change the -configuration for adduser: - -$ sudo useradd -D -f 35 - -Note: DoD recommendation is 35 days, -but a lower value is acceptable. The value \"0\" will disable the account immediately after the + desc 'fix', "Configure the Ubuntu operating system to disable account identifiers after 35 days of +inactivity after the password expiration. + +Run the following command to change the +configuration for adduser: + +$ sudo useradd -D -f 35 + +Note: DoD recommendation is 35 days, +but a lower value is acceptable. The value \"0\" will disable the account immediately after the password expires. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000118-GPOS-00060 " - tag gid: "V-238330 " - tag rid: "SV-238330r654165_rule " - tag stig_id: "UBTU-20-010409 " - tag fix_id: "F-41499r654164_fix " - tag cci: ["CCI-000795"] - tag nist: ["IA-4 e"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000118-GPOS-00060 ' + tag gid: 'V-238330 ' + tag rid: 'SV-238330r654165_rule ' + tag stig_id: 'UBTU-20-010409 ' + tag fix_id: 'F-41499r654164_fix ' + tag cci: ['CCI-000795'] + tag nist: ['IA-4 e'] config_file = input('useradd_config_file') config_file_exists = file(config_file).exist? @@ -53,9 +51,9 @@ its('INACTIVE') { should cmp <= 35 } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb index cec089e..c8da489 100644 --- a/controls/SV-238331.rb +++ b/controls/SV-238331.rb @@ -1,52 +1,50 @@ -# encoding: UTF-8 - -control "SV-238331" do - title "The Ubuntu operating system must automatically remove or disable emergency accounts after +control 'SV-238331' do + title "The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours. " - desc "Emergency accounts are different from infrequently used accounts (i.e., local logon + desc "Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's System Administrator -s when network or normal -logon/access is not available). Infrequently used accounts are not subject to automatic -termination dates. Emergency accounts are accounts created in response to crisis -situations, usually for use by maintenance personnel. The automatic expiration or -disabling time period may be extended as needed until the crisis is resolved; however, it must -not be extended indefinitely. A permanent account should be established for privileged +s when network or normal +logon/access is not available). Infrequently used accounts are not subject to automatic +termination dates. Emergency accounts are accounts created in response to crisis +situations, usually for use by maintenance personnel. The automatic expiration or +disabling time period may be extended as needed until the crisis is resolved; however, it must +not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. " - desc "check", "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. - -For -every emergency account, run the following command to obtain its account expiration -information: - -$ sudo chage -l account_name | grep expires - -Password expires : Aug 07, 2019 - -Account expires : Aug 07, 2019 - -Verify each of these accounts has an expiration date set -within 72 hours of account creation. - -If any of these accounts do not expire within 72 hours of + desc 'check', "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. + +For +every emergency account, run the following command to obtain its account expiration +information: + +$ sudo chage -l account_name | grep expires + +Password expires : Aug 07, 2019 + +Account expires : Aug 07, 2019 + +Verify each of these accounts has an expiration date set +within 72 hours of account creation. + +If any of these accounts do not expire within 72 hours of that account's creation, this is a finding. " - desc "fix", "If an emergency account must be created, configure the system to terminate the account after a -72-hour time period with the following command to set an expiration date on it. Substitute -\"account_name\" with the account to be created. - -$ sudo chage -E $(date -d \"+3 days\" +%F) + desc 'fix', "If an emergency account must be created, configure the system to terminate the account after a +72-hour time period with the following command to set an expiration date on it. Substitute +\"account_name\" with the account to be created. + +$ sudo chage -E $(date -d \"+3 days\" +%F) account_name " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000123-GPOS-00064 " - tag gid: "V-238331 " - tag rid: "SV-238331r654168_rule " - tag stig_id: "UBTU-20-010410 " - tag fix_id: "F-41500r654167_fix " - tag cci: ["CCI-001682"] - tag nist: ["AC-2 (2)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000123-GPOS-00064 ' + tag gid: 'V-238331 ' + tag rid: 'SV-238331r654168_rule ' + tag stig_id: 'UBTU-20-010410 ' + tag fix_id: 'F-41500r654167_fix ' + tag cci: ['CCI-001682'] + tag nist: ['AC-2 (2)'] describe 'Manual verification required' do skip 'Manually verify if emergency account must be created the system must terminate the account after a 72 hour time period.' end -end \ No newline at end of file +end diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb index fa60ed2..2949698 100644 --- a/controls/SV-238332.rb +++ b/controls/SV-238332.rb @@ -1,51 +1,49 @@ -# encoding: UTF-8 - -control "SV-238332" do - title "The Ubuntu operating system must set a sticky bit on all public directories to prevent +control 'SV-238332' do + title "The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. " - desc "Preventing unauthorized information transfers mitigates the risk of information, -including encrypted representations of information, produced by the actions of prior -users/roles (or the actions of processes acting on behalf of prior users/roles) from being -available to any current users/roles (or current processes) that obtain access to shared -system resources (e.g., registers, main memory, hard disks) after those resources have been -released back to information systems. The control of information in shared resources is also -commonly referred to as object reuse and residual information protection. - -This -requirement generally applies to the design of an information technology product, but it can -also apply to the configuration of particular information system components that are, or -use, such products. This can be verified by acceptance/validation processes in DoD or other -government agencies. - -There may be shared resources with configurable protections (e.g., + desc "Preventing unauthorized information transfers mitigates the risk of information, +including encrypted representations of information, produced by the actions of prior +users/roles (or the actions of processes acting on behalf of prior users/roles) from being +available to any current users/roles (or current processes) that obtain access to shared +system resources (e.g., registers, main memory, hard disks) after those resources have been +released back to information systems. The control of information in shared resources is also +commonly referred to as object reuse and residual information protection. + +This +requirement generally applies to the design of an information technology product, but it can +also apply to the configuration of particular information system components that are, or +use, such products. This can be verified by acceptance/validation processes in DoD or other +government agencies. + +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. " - desc "check", "Verify that all public (world-writeable) directories have the public sticky bit set. - -Find -world-writable directories that lack the sticky bit by running the following command: - -$ -sudo find / -type d -perm -002 ! -perm -1000 - -If any world-writable directories are found + desc 'check', "Verify that all public (world-writeable) directories have the public sticky bit set. + +Find +world-writable directories that lack the sticky bit by running the following command: + +$ +sudo find / -type d -perm -002 ! -perm -1000 + +If any world-writable directories are found missing the sticky bit, this is a finding. " - desc "fix", "Configure all public directories to have the sticky bit set to prevent unauthorized and -unintended information transferred via shared system resources. - -Set the sticky bit on all -public directories using the following command, replacing \"[Public Directory]\" with any -directory path missing the sticky bit: - + desc 'fix', "Configure all public directories to have the sticky bit set to prevent unauthorized and +unintended information transferred via shared system resources. + +Set the sticky bit on all +public directories using the following command, replacing \"[Public Directory]\" with any +directory path missing the sticky bit: + $ sudo chmod +t [Public Directory] " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000138-GPOS-00069 " - tag gid: "V-238332 " - tag rid: "SV-238332r654171_rule " - tag stig_id: "UBTU-20-010411 " - tag fix_id: "F-41501r654170_fix " - tag cci: ["CCI-001090"] - tag nist: ["SC-4"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000138-GPOS-00069 ' + tag gid: 'V-238332 ' + tag rid: 'SV-238332r654171_rule ' + tag stig_id: 'UBTU-20-010411 ' + tag fix_id: 'F-41501r654170_fix ' + tag cci: ['CCI-001090'] + tag nist: ['SC-4'] lines = command('find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null').stdout.strip.split("\n").entries if lines.count > 0 @@ -61,4 +59,4 @@ its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb index 8a86d13..2c3f0e0 100644 --- a/controls/SV-238333.rb +++ b/controls/SV-238333.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 +control 'SV-238333' do + title 'The Ubuntu operating system must be configured to use TCP syncookies. ' + desc "DoS is a condition when a resource is not available for legitimate users. When this occurs, the +organization either cannot accomplish its mission or must operate at degraded capacity. -control "SV-238333" do - title "The Ubuntu operating system must be configured to use TCP syncookies. " - desc "DoS is a condition when a resource is not available for legitimate users. When this occurs, the -organization either cannot accomplish its mission or must operate at degraded capacity. - -Managing excess capacity ensures that sufficient capacity is available to counter -flooding attacks. Employing increased capacity and service redundancy may reduce the -susceptibility to some DoS attacks. Managing excess capacity may include, for example, +Managing excess capacity ensures that sufficient capacity is available to counter +flooding attacks. Employing increased capacity and service redundancy may reduce the +susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. " - desc "check", "Verify the Ubuntu operating system is configured to use TCP syncookies. - -Check the value of -TCP syncookies with the following command: - -$ sysctl net.ipv4.tcp_syncookies - -net.ipv4.tcp_syncookies = 1 - -If the value is not \"1\", this is a finding. - -Check the saved -value of TCP syncookies with the following command: - -$ sudo grep -i -net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' - -If no output is + desc 'check', "Verify the Ubuntu operating system is configured to use TCP syncookies. + +Check the value of +TCP syncookies with the following command: + +$ sysctl net.ipv4.tcp_syncookies + +net.ipv4.tcp_syncookies = 1 + +If the value is not \"1\", this is a finding. + +Check the saved +value of TCP syncookies with the following command: + +$ sudo grep -i +net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' + +If no output is returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to use TCP syncookies by running the following -command: - -$ sudo sysctl -w net.ipv4.tcp_syncookies=1 - -If \"1\" is not the system's default -value, add or update the following line in \"/etc/sysctl.conf\": - -net.ipv4.tcp_syncookies + desc 'fix', "Configure the Ubuntu operating system to use TCP syncookies by running the following +command: + +$ sudo sysctl -w net.ipv4.tcp_syncookies=1 + +If \"1\" is not the system's default +value, add or update the following line in \"/etc/sysctl.conf\": + +net.ipv4.tcp_syncookies = 1 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000142-GPOS-00071 " - tag gid: "V-238333 " - tag rid: "SV-238333r654174_rule " - tag stig_id: "UBTU-20-010412 " - tag fix_id: "F-41502r654173_fix " - tag cci: ["CCI-001095"] - tag nist: ["SC-5 (2)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000142-GPOS-00071 ' + tag gid: 'V-238333 ' + tag rid: 'SV-238333r654174_rule ' + tag stig_id: 'UBTU-20-010412 ' + tag fix_id: 'F-41502r654173_fix ' + tag cci: ['CCI-001095'] + tag nist: ['SC-5 (2)'] describe kernel_parameter('net.ipv4.tcp_syncookies') do its('value') { should cmp 1 } end -end \ No newline at end of file +end diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb index aa83f9e..b8609d4 100644 --- a/controls/SV-238334.rb +++ b/controls/SV-238334.rb @@ -1,40 +1,38 @@ -# encoding: UTF-8 - -control "SV-238334" do - title "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state +control 'SV-238334' do + title "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail. " - desc "Kernel core dumps may contain the full contents of system memory at the time of the crash. -Kernel core dumps may consume a considerable amount of disk space and may result in denial of + desc "Kernel core dumps may contain the full contents of system memory at the time of the crash. +Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. " - desc "check", "Verify that kernel core dumps are disabled unless needed. - -Check if \"kdump\" service is -active with the following command: - -$ systemctl is-active kdump.service -inactive - -If -the \"kdump\" service is active, ask the SA if the use of the service is required and documented -with the ISSO. - + desc 'check', "Verify that kernel core dumps are disabled unless needed. + +Check if \"kdump\" service is +active with the following command: + +$ systemctl is-active kdump.service +inactive + +If +the \"kdump\" service is active, ask the SA if the use of the service is required and documented +with the ISSO. + If the service is active and is not documented, this is a finding. " - desc "fix", "If kernel core dumps are not required, disable the \"kdump\" service with the following -command: - -$ sudo systemctl disable kdump.service - -If kernel core dumps are required, + desc 'fix', "If kernel core dumps are not required, disable the \"kdump\" service with the following +command: + +$ sudo systemctl disable kdump.service + +If kernel core dumps are required, document the need with the ISSO. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000184-GPOS-00078 " - tag gid: "V-238334 " - tag rid: "SV-238334r654177_rule " - tag stig_id: "UBTU-20-010413 " - tag fix_id: "F-41503r654176_fix " - tag cci: ["CCI-001190"] - tag nist: ["SC-24"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000184-GPOS-00078 ' + tag gid: 'V-238334 ' + tag rid: 'SV-238334r654177_rule ' + tag stig_id: 'UBTU-20-010413 ' + tag fix_id: 'F-41503r654176_fix ' + tag cci: ['CCI-001190'] + tag nist: ['SC-24'] is_kdump_required = input('is_kdump_required') if is_kdump_required @@ -50,4 +48,4 @@ it { should_not be_running } end end -end \ No newline at end of file +end diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb index 4081bf4..f4dd4b9 100644 --- a/controls/SV-238335.rb +++ b/controls/SV-238335.rb @@ -1,74 +1,72 @@ -# encoding: UTF-8 - -control "SV-238335" do - title "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ -cryptographic mechanisms to prevent unauthorized disclosure and modification of the +control 'SV-238335' do + title "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. " - desc "Information at rest refers to the state of information when it is located on a secondary -storage device (e.g., disk drive and tape drive, when used for backups) within an operating -system. - -This requirement addresses protection of user-generated data, as well as -operating system-specific configuration data. Organizations may choose to employ -different mechanisms to achieve confidentiality and integrity protections, as -appropriate, in accordance with the security category and/or classification of the + desc "Information at rest refers to the state of information when it is located on a secondary +storage device (e.g., disk drive and tape drive, when used for backups) within an operating +system. + +This requirement addresses protection of user-generated data, as well as +operating system-specific configuration data. Organizations may choose to employ +different mechanisms to achieve confidentiality and integrity protections, as +appropriate, in accordance with the security category and/or classification of the information. " - desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this -requirement is Not Applicable. - -Verify the Ubuntu operating system prevents unauthorized -disclosure or modification of all information requiring at-rest protection by using disk -encryption. - -Determine the partition layout for the system with the following command: - + desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + + +#sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB -#sudo fdisk -l -(..) -Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors -Units: -sectors of 1 * 512 = 512 bytes -Sector size (logical/physical): 512 bytes / 512 bytes -I/O size -(minimum/optimal): 512 bytes / 512 bytes -Disklabel type: gpt -Disk identifier: -83298450-B4E3-4B19-A9E4-7DF147A5FEFB - -Device Start End Sectors Size Type -/dev/vda1 -2048 4095 2048 1M BIOS boot -/dev/vda2 4096 2101247 2097152 1G Linux filesystem -/dev/vda3 -2101248 31455231 29353984 14G Linux filesystem -(...) - -Verify the system partitions are -all encrypted with the following command: - -# more /etc/crypttab - -Every persistent disk -partition present must have an entry in the file. - -If any partitions other than the boot +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify the system partitions are +all encrypted with the following command: + +# more /etc/crypttab + +Every persistent disk +partition present must have an entry in the file. + +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + - -Note: Encrypting a partition in an already-installed system is more difficult because it +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000185-GPOS-00079 " - tag gid: "V-238335 " - tag rid: "SV-238335r654180_rule " - tag stig_id: "UBTU-20-010414 " - tag fix_id: "F-41504r654179_fix " - tag cci: ["CCI-001199"] - tag nist: ["SC-28"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000185-GPOS-00079 ' + tag gid: 'V-238335 ' + tag rid: 'SV-238335r654180_rule ' + tag stig_id: 'UBTU-20-010414 ' + tag fix_id: 'F-41504r654179_fix ' + tag cci: ['CCI-001199'] + tag nist: ['SC-28'] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end \ No newline at end of file +end diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index 345d5ea..975a2b7 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -1,50 +1,48 @@ -# encoding: UTF-8 - -control "SV-238336" do - title "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention +control 'SV-238336' do + title "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). " - desc "Without the use of automated mechanisms to scan for security flaws on a continuous and/or -periodic basis, the operating system or other system components may remain vulnerable to the -exploits presented by undetected software flaws. - -To support this requirement, the -operating system may have an integrated solution incorporating continuous scanning using + desc "Without the use of automated mechanisms to scan for security flaws on a continuous and/or +periodic basis, the operating system or other system components may remain vulnerable to the +exploits presented by undetected software flaws. + +To support this requirement, the +operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement. " - desc "check", "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. -However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and -running. - -Check that the \"mcafeetp\" package has been installed: - -# dpkg -l | grep mcafeetp - - -If the \"mcafeetp\" package is not installed, this finding will remain as a CAT II. - -Check that -the daemon is running: - -# /opt/McAfee/ens/tp/init/mfetpd-control.sh status - -If the + desc 'check', "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. +However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and +running. + +Check that the \"mcafeetp\" package has been installed: + +# dpkg -l | grep mcafeetp + + +If the \"mcafeetp\" package is not installed, this finding will remain as a CAT II. + +Check that +the daemon is running: + +# /opt/McAfee/ens/tp/init/mfetpd-control.sh status + +If the daemon is not running, this finding will remain as a CAT II. " - desc "fix", "The Ubuntu operating system is not compliant with this requirement; however, the severity + desc 'fix', "The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. -Configure +Configure the Ubuntu operating system to use ENSLTP. -Install the \"mcafeetp\" package via the ePO +Install the \"mcafeetp\" package via the ePO server. " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000191-GPOS-00080 " - tag gid: "V-238336 " - tag rid: "SV-238336r858538_rule " - tag stig_id: "UBTU-20-010415 " - tag fix_id: "F-41505r858537_fix " - tag cci: ["CCI-001233"] - tag nist: ["SI-2 (2)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000191-GPOS-00080 ' + tag gid: 'V-238336 ' + tag rid: 'SV-238336r858538_rule ' + tag stig_id: 'UBTU-20-010415 ' + tag fix_id: 'F-41505r858537_fix ' + tag cci: ['CCI-001233'] + tag nist: ['SI-2 (2)'] describe package('mfetp') do it { should be_installed } @@ -53,5 +51,4 @@ describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do its('exit_status') { should cmp 0 } end - -end \ No newline at end of file +end diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb index 8db11d2..48f4e2a 100644 --- a/controls/SV-238337.rb +++ b/controls/SV-238337.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238337" do - title "The Ubuntu operating system must generate error messages that provide information -necessary for corrective actions without revealing information that could be exploited by +control 'SV-238337' do + title "The Ubuntu operating system must generate error messages that provide information +necessary for corrective actions without revealing information that could be exploited by adversaries. " - desc "Any operating system providing too much information in error messages risks compromising -the data and security of the structure, and content of error messages needs to be carefully -considered by the organization. - -Organizations carefully consider the -structure/content of error messages. The extent to which information systems are able to -identify and handle error conditions is guided by organizational policy and operational -requirements. Information that could be exploited by adversaries includes, for example, -erroneous logon attempts with passwords entered by mistake as the username, -mission/business information that can be derived from (if not stated explicitly by) -information recorded, and personal information, such as account numbers, social security + desc "Any operating system providing too much information in error messages risks compromising +the data and security of the structure, and content of error messages needs to be carefully +considered by the organization. + +Organizations carefully consider the +structure/content of error messages. The extent to which information systems are able to +identify and handle error conditions is guided by organizational policy and operational +requirements. Information that could be exploited by adversaries includes, for example, +erroneous logon attempts with passwords entered by mistake as the username, +mission/business information that can be derived from (if not stated explicitly by) +information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. " - desc "check", "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory -with a permission set to 640 or less permissive by using the following command: - -$ sudo find -/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\; - -If the command displays any output, + desc 'check', "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory +with a permission set to 640 or less permissive by using the following command: + +$ sudo find +/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\; + +If the command displays any output, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to set permissions of all log files under the -\"/var/log\" directory to 640 or more restricted by using the following command: - -$ sudo find + desc 'fix', "Configure the Ubuntu operating system to set permissions of all log files under the +\"/var/log\" directory to 640 or more restricted by using the following command: + +$ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000205-GPOS-00083 " - tag gid: "V-238337 " - tag rid: "SV-238337r654186_rule " - tag stig_id: "UBTU-20-010416 " - tag fix_id: "F-41506r654185_fix " - tag cci: ["CCI-001312"] - tag nist: ["SI-11 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000205-GPOS-00083 ' + tag gid: 'V-238337 ' + tag rid: 'SV-238337r654186_rule ' + tag stig_id: 'UBTU-20-010416 ' + tag fix_id: 'F-41506r654185_fix ' + tag cci: ['CCI-001312'] + tag nist: ['SI-11 a'] log_files = command('find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;').stdout.strip.split("\n").entries - describe "Number of log files found with a permission NOT set to 640" do + describe 'Number of log files found with a permission NOT set to 640' do subject { log_files } - its("count") { should eq 0 } + its('count') { should eq 0 } end -end \ No newline at end of file +end diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb index 8e7f0fd..b8085c3 100644 --- a/controls/SV-238338.rb +++ b/controls/SV-238338.rb @@ -1,41 +1,39 @@ -# encoding: UTF-8 - -control "SV-238338" do - title "The Ubuntu operating system must configure the /var/log directory to be group-owned by +control 'SV-238338' do + title "The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be -group-owned by syslog with the following command: - -$ sudo stat -c \"%n %G\" /var/log -/var/log -syslog - + desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be +group-owned by syslog with the following command: + +$ sudo stat -c \"%n %G\" /var/log +/var/log +syslog + If the \"/var/log\" directory is not group-owned by syslog, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by -running the following command: - + desc 'fix', "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by +running the following command: + $ sudo chgrp syslog /var/log " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238338 " - tag rid: "SV-238338r654189_rule " - tag stig_id: "UBTU-20-010417 " - tag fix_id: "F-41507r654188_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238338 ' + tag rid: 'SV-238338r654189_rule ' + tag stig_id: 'UBTU-20-010417 ' + tag fix_id: 'F-41507r654188_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] describe directory('/var/log') do its('group') { should cmp 'syslog' } end -end \ No newline at end of file +end diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb index 1502859..29e3f73 100644 --- a/controls/SV-238339.rb +++ b/controls/SV-238339.rb @@ -1,40 +1,38 @@ -# encoding: UTF-8 +control 'SV-238339' do + title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. ' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. -control "SV-238339" do - title "The Ubuntu operating system must configure the /var/log directory to be owned by root. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root -with the following command: - -$ sudo stat -c \"%n %U\" /var/log -/var/log root - -If the + desc 'check', "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root +with the following command: + +$ sudo stat -c \"%n %U\" /var/log +/var/log root + +If the \"/var/log\" directory is not owned by root, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running -the following command: - + desc 'fix', "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running +the following command: + $ sudo chown root /var/log " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238339 " - tag rid: "SV-238339r654192_rule " - tag stig_id: "UBTU-20-010418 " - tag fix_id: "F-41508r654191_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238339 ' + tag rid: 'SV-238339r654192_rule ' + tag stig_id: 'UBTU-20-010418 ' + tag fix_id: 'F-41508r654191_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] - describe directory("/var/log") do - its("owner") { should cmp "root" } + describe directory('/var/log') do + its('owner') { should cmp 'root' } end -end \ No newline at end of file +end diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb index 6ca39bb..0521fe7 100644 --- a/controls/SV-238340.rb +++ b/controls/SV-238340.rb @@ -1,42 +1,40 @@ -# encoding: UTF-8 - -control "SV-238340" do - title "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less +control 'SV-238340' do + title "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less permissive. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of -750 or less permissive with the following command: - -$ stat -c \"%n %a\" /var/log - -/var/log 750 + desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of +750 or less permissive with the following command: + +$ stat -c \"%n %a\" /var/log + +/var/log 750 + - If a value of \"750\" or less permissive is not returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\" -directory by running the following command: - + desc 'fix', "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\" +directory by running the following command: + $ sudo chmod 0750 /var/log " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238340 " - tag rid: "SV-238340r654195_rule " - tag stig_id: "UBTU-20-010419 " - tag fix_id: "F-41509r654194_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238340 ' + tag rid: 'SV-238340r654195_rule ' + tag stig_id: 'UBTU-20-010419 ' + tag fix_id: 'F-41509r654194_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] - describe directory("/var/log") do - it { should_not be_more_permissive_than("0750") } + describe directory('/var/log') do + it { should_not be_more_permissive_than('0750') } end -end \ No newline at end of file +end diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb index 537027a..09b2b1f 100644 --- a/controls/SV-238341.rb +++ b/controls/SV-238341.rb @@ -1,42 +1,40 @@ -# encoding: UTF-8 - -control "SV-238341" do - title "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by +control 'SV-238341' do + title "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be -group-owned by adm with the following command: - -$ sudo stat -c \"%n %G\" /var/log/syslog + desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be +group-owned by adm with the following command: + +$ sudo stat -c \"%n %G\" /var/log/syslog -/var/log/syslog adm - -If the \"/var/log/syslog\" file is not group-owned by adm, this is a +/var/log/syslog adm + +If the \"/var/log/syslog\" file is not group-owned by adm, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by -running the following command: - + desc 'fix', "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by +running the following command: + $ sudo chgrp adm /var/log/syslog " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238341 " - tag rid: "SV-238341r654198_rule " - tag stig_id: "UBTU-20-010420 " - tag fix_id: "F-41510r654197_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238341 ' + tag rid: 'SV-238341r654198_rule ' + tag stig_id: 'UBTU-20-010420 ' + tag fix_id: 'F-41510r654197_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] describe file('/var/log/syslog') do its('group') { should cmp 'adm' } end -end \ No newline at end of file +end diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb index e047d38..fbbe75b 100644 --- a/controls/SV-238342.rb +++ b/controls/SV-238342.rb @@ -1,41 +1,39 @@ -# encoding: UTF-8 +control 'SV-238342' do + title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. -control "SV-238342" do - title "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by -syslog with the following command: - -$ sudo stat -c \"%n %U\" /var/log/syslog + desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by +syslog with the following command: -/var/log/syslog syslog - -If the \"/var/log/syslog\" file is not owned by syslog, this is a +$ sudo stat -c \"%n %U\" /var/log/syslog + +/var/log/syslog syslog + +If the \"/var/log/syslog\" file is not owned by syslog, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by -running the following command: - + desc 'fix', "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by +running the following command: + $ sudo chown syslog /var/log/syslog " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238342 " - tag rid: "SV-238342r654201_rule " - tag stig_id: "UBTU-20-010421 " - tag fix_id: "F-41511r654200_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238342 ' + tag rid: 'SV-238342r654201_rule ' + tag stig_id: 'UBTU-20-010421 ' + tag fix_id: 'F-41511r654200_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] describe file('/var/log/syslog') do its('owner') { should cmp 'syslog' } end -end \ No newline at end of file +end diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb index cc0fa15..4ed135d 100644 --- a/controls/SV-238343.rb +++ b/controls/SV-238343.rb @@ -1,43 +1,41 @@ -# encoding: UTF-8 - -control "SV-238343" do - title "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less +control 'SV-238343' do + title "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive. " - desc "Only authorized personnel should be aware of errors and the details of the errors. Error -messages are an indicator of an organization's operational state or can identify the -operating system or platform. Additionally, Personally Identifiable Information (PII) -and operational information must not be revealed through error messages to unauthorized -personnel or their designated representatives. - -The structure and content of error -messages must be carefully considered by the organization and development team. The extent -to which the information system is able to identify and handle error conditions is guided by + desc "Only authorized personnel should be aware of errors and the details of the errors. Error +messages are an indicator of an organization's operational state or can identify the +operating system or platform. Additionally, Personally Identifiable Information (PII) +and operational information must not be revealed through error messages to unauthorized +personnel or their designated representatives. + +The structure and content of error +messages must be carefully considered by the organization and development team. The extent +to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. " - desc "check", "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode -0640 or less permissive by running the following command: - -$ sudo stat -c \"%n %a\" -/var/log/syslog - -/var/log/syslog 640 - -If a value of \"640\" or less permissive is not + desc 'check', "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode +0640 or less permissive by running the following command: + +$ sudo stat -c \"%n %a\" +/var/log/syslog + +/var/log/syslog 640 + +If a value of \"640\" or less permissive is not returned, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\" -file by running the following command: - + desc 'fix', "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\" +file by running the following command: + $ sudo chmod 0640 /var/log/syslog " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000206-GPOS-00084 " - tag gid: "V-238343 " - tag rid: "SV-238343r654204_rule " - tag stig_id: "UBTU-20-010422 " - tag fix_id: "F-41512r654203_fix " - tag cci: ["CCI-001314"] - tag nist: ["SI-11 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000206-GPOS-00084 ' + tag gid: 'V-238343 ' + tag rid: 'SV-238343r654204_rule ' + tag stig_id: 'UBTU-20-010422 ' + tag fix_id: 'F-41512r654203_fix ' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] describe file('/var/log/syslog') do it { should_not be_more_permissive_than('0640') } end -end \ No newline at end of file +end diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index dc5d004..cc68143 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238344" do - title "The Ubuntu operating system must have directories that contain system commands set to a mode +control 'SV-238344' do + title "The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user has in order to make access -decisions regarding the deletion of audit tools. - -Audit tools include, but are not limited -to, vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the system commands directories have mode 0755 or less permissive: - -/bin -/sbin + desc 'check', "Verify the system commands directories have mode 0755 or less permissive: + +/bin +/sbin -/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin - -Check that the system command -directories have mode 0755 or less permissive with the following command: - -$ find /bin /sbin -/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\" -'{}' \\; - -If any directories are found to be group-writable or world-writable, this is a +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin + +Check that the system command +directories have mode 0755 or less permissive with the following command: + +$ find /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\" +'{}' \\; + +If any directories are found to be group-writable or world-writable, this is a finding. " - desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the -following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin + desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000258-GPOS-00099 " - tag gid: "V-238344 " - tag rid: "SV-238344r654207_rule " - tag stig_id: "UBTU-20-010423 " - tag fix_id: "F-41513r654206_fix " - tag cci: ["CCI-001495"] - tag nist: ["AU-9"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000258-GPOS-00099 ' + tag gid: 'V-238344 ' + tag rid: 'SV-238344r654207_rule ' + tag stig_id: 'UBTU-20-010423 ' + tag fix_id: 'F-41513r654206_fix ' + tag cci: ['CCI-001495'] + tag nist: ['AU-9'] - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d").stdout.strip.split("\n").entries + system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -64,14 +62,14 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } + it { should_not be_more_permissive_than('0755') } end end else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755" do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index 2778191..67aa5bf 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -1,55 +1,53 @@ -# encoding: UTF-8 - -control "SV-238345" do - title "The Ubuntu operating system must have directories that contain system commands owned by +control 'SV-238345' do + title "The Ubuntu operating system must have directories that contain system commands owned by root. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user has in order to make access -decisions regarding the deletion of audit tools. - -Audit tools include, but are not limited -to, vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the system commands directories are owned by root: - -/bin -/sbin -/usr/bin + desc 'check', "Verify the system commands directories are owned by root: + +/bin +/sbin +/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin - -Use the following command for the check: - +/usr/sbin +/usr/local/bin +/usr/local/sbin -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root --type d -exec stat -c \"%n %U\" '{}' \\; - -If any system commands directories are returned, this is +Use the following command for the check: + + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root +-type d -exec stat -c \"%n %U\" '{}' \\; + +If any system commands directories are returned, this is a finding. " - desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the -following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin + desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000258-GPOS-00099 " - tag gid: "V-238345 " - tag rid: "SV-238345r654210_rule " - tag stig_id: "UBTU-20-010424 " - tag fix_id: "F-41514r654209_fix " - tag cci: ["CCI-001495"] - tag nist: ["AU-9"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000258-GPOS-00099 ' + tag gid: 'V-238345 ' + tag rid: 'SV-238345r654210_rule ' + tag stig_id: 'UBTU-20-010424 ' + tag fix_id: 'F-41514r654209_fix ' + tag cci: ['CCI-001495'] + tag nist: ['AU-9'] - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d").stdout.strip.split("\n").entries + system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -63,14 +61,14 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - its("owner") { should cmp "root" } + its('owner') { should cmp 'root' } end end else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 1462b93..51fb94a 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238346" do - title "The Ubuntu operating system must have directories that contain system commands group-owned +control 'SV-238346' do + title "The Ubuntu operating system must have directories that contain system commands group-owned by root. " - desc "Protecting audit information also includes identifying and protecting the tools used to -view and manipulate log data. Therefore, protecting audit tools is necessary to prevent -unauthorized operation on audit information. - -Operating systems providing tools to -interface with audit information will leverage user permissions and roles identifying the -user accessing the tools and the corresponding rights the user has in order to make access -decisions regarding the deletion of audit tools. - -Audit tools include, but are not limited -to, vendor-provided and open source audit tools needed to successfully view and manipulate -audit information system activity and records. Audit tools include custom queries and + desc "Protecting audit information also includes identifying and protecting the tools used to +view and manipulate log data. Therefore, protecting audit tools is necessary to prevent +unauthorized operation on audit information. + +Operating systems providing tools to +interface with audit information will leverage user permissions and roles identifying the +user accessing the tools and the corresponding rights the user has in order to make access +decisions regarding the deletion of audit tools. + +Audit tools include, but are not limited +to, vendor-provided and open source audit tools needed to successfully view and manipulate +audit information system activity and records. Audit tools include custom queries and report generators. " - desc "check", "Verify the system commands directories are group-owned by root: - -/bin -/sbin -/usr/bin + desc 'check', "Verify the system commands directories are group-owned by root: + +/bin +/sbin +/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin - -Run the check with the following command: - +/usr/sbin +/usr/local/bin +/usr/local/sbin -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root --type d -exec stat -c \"%n %G\" '{}' \\; - -If any system commands directories are returned that are -not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a +Run the check with the following command: + + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root +-type d -exec stat -c \"%n %G\" '{}' \\; + +If any system commands directories are returned that are +not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding. " - desc "fix", "Configure the system commands directories to be protected from unauthorized access. Run the -following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin + desc 'fix', "Configure the system commands directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000258-GPOS-00099 " - tag gid: "V-238346 " - tag rid: "SV-238346r654213_rule " - tag stig_id: "UBTU-20-010425 " - tag fix_id: "F-41515r654212_fix " - tag cci: ["CCI-001495"] - tag nist: ["AU-9"] -#CHECK - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d").stdout.strip.split("\n").entries + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000258-GPOS-00099 ' + tag gid: 'V-238346 ' + tag rid: 'SV-238346r654213_rule ' + tag stig_id: 'UBTU-20-010425 ' + tag fix_id: 'F-41515r654212_fix ' + tag cci: ['CCI-001495'] + tag nist: ['AU-9'] + # CHECK + system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -64,14 +62,14 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - its("group") { should cmp "root" } + its('group') { should cmp 'root' } end end else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root" do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb index 3b29635..b160b87 100644 --- a/controls/SV-238347.rb +++ b/controls/SV-238347.rb @@ -1,46 +1,44 @@ -# encoding: UTF-8 +control 'SV-238347' do + title 'The Ubuntu operating system library files must have mode 0755 or less permissive. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238347" do - title "The Ubuntu operating system library files must have mode 0755 or less permissive. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", -and \"/usr/lib\" have mode 0755 or less permissive with the following command: - -$ sudo find -/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\; + desc 'check', "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +and \"/usr/lib\" have mode 0755 or less permissive with the following command: -/usr/lib64/pkcs11-spy.so - -If any files are found to be group-writable or +$ sudo find +/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\; + +/usr/lib64/pkcs11-spy.so + +If any files are found to be group-writable or world-writable, this is a finding. " - desc "fix", "Configure the library files to be protected from unauthorized access. Run the following -command: - + desc 'fix', "Configure the library files to be protected from unauthorized access. Run the following +command: + $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238347 " - tag rid: "SV-238347r654216_rule " - tag stig_id: "UBTU-20-010426 " - tag fix_id: "F-41516r654215_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238347 ' + tag rid: 'SV-238347r654216_rule ' + tag stig_id: 'UBTU-20-010426 ' + tag fix_id: 'F-41516r654215_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == 'x86_64' - library_files = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split("\n").entries - end + library_files = if os.arch == 'x86_64' + command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split("\n").entries + end if library_files.count > 0 library_files.each do |lib_file| @@ -54,4 +52,4 @@ its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb index 9910f83..00cb272 100644 --- a/controls/SV-238348.rb +++ b/controls/SV-238348.rb @@ -1,45 +1,43 @@ -# encoding: UTF-8 +control 'SV-238348' do + title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238348" do - title "The Ubuntu operating system library directories must have mode 0755 or less permissive. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have -mode 0755 or less permissive with the following command: - -$ sudo find /lib /lib64 /usr/lib --perm /022 -type d -exec stat -c \"%n %a\" '{}' \\; - -If any of the aforementioned directories are + desc 'check', "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have +mode 0755 or less permissive with the following command: + +$ sudo find /lib /lib64 /usr/lib +-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\; + +If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding. " - desc "fix", "Configure the shared library directories to be protected from unauthorized access. Run the -following command: - -$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' + desc 'fix', "Configure the shared library directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238348 " - tag rid: "SV-238348r654219_rule " - tag stig_id: "UBTU-20-010427 " - tag fix_id: "F-41517r654218_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238348 ' + tag rid: 'SV-238348r654219_rule ' + tag stig_id: 'UBTU-20-010427 ' + tag fix_id: 'F-41517r654218_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == 'x86_64' - library_dirs = command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries - else - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split("\n").entries - end + library_dirs = if os.arch == 'x86_64' + command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split("\n").entries + end if library_dirs.count > 0 library_dirs.each do |lib_file| @@ -53,4 +51,4 @@ its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb index 4f41a6b..82b8e7a 100644 --- a/controls/SV-238349.rb +++ b/controls/SV-238349.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 +control 'SV-238349' do + title 'The Ubuntu operating system library files must be owned by root. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238349" do - title "The Ubuntu operating system library files must be owned by root. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", -and \"/usr/lib\" are owned by root with the following command: - -$ sudo find /lib /usr/lib -/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\; - -If any system-wide library file is + desc 'check', "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\", +and \"/usr/lib\" are owned by root with the following command: + +$ sudo find /lib /usr/lib +/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\; + +If any system-wide library file is returned, this is a finding. " - desc "fix", "Configure the system library files to be protected from unauthorized access. Run the -following command: - -$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root + desc 'fix', "Configure the system library files to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238349 " - tag rid: "SV-238349r654222_rule " - tag stig_id: "UBTU-20-010428 " - tag fix_id: "F-41518r654221_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238349 ' + tag rid: 'SV-238349r654222_rule ' + tag stig_id: 'UBTU-20-010428 ' + tag fix_id: 'F-41518r654221_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == "x86_64" - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type f').stdout.strip.split("\n").entries - end + library_files = if os.arch == 'x86_64' + command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type f').stdout.strip.split("\n").entries + end if library_files.count > 0 library_files.each do |lib_file| describe file(lib_file) do - its("owner") { should cmp "root" } + its('owner') { should cmp 'root' } end end else - describe "Number of system-wide shared library files found that are NOT owned by root" do + describe 'Number of system-wide shared library files found that are NOT owned by root' do subject { library_files } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb index 62ffef6..e2e4958 100644 --- a/controls/SV-238350.rb +++ b/controls/SV-238350.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 +control 'SV-238350' do + title 'The Ubuntu operating system library directories must be owned by root. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238350" do - title "The Ubuntu operating system library directories must be owned by root. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are -owned by root with the following command: - -$ sudo find /lib /usr/lib /lib64 ! -user root -type -d -exec stat -c \"%n %U\" '{}' \\; - -If any system-wide library directory is returned, this is a + desc 'check', "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +owned by root with the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type +d -exec stat -c \"%n %U\" '{}' \\; + +If any system-wide library directory is returned, this is a finding. " - desc "fix", "Configure the library files and their respective parent directories to be protected from -unauthorized access. Run the following command: - -$ sudo find /lib /usr/lib /lib64 ! -user + desc 'fix', "Configure the library files and their respective parent directories to be protected from +unauthorized access. Run the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238350 " - tag rid: "SV-238350r654225_rule " - tag stig_id: "UBTU-20-010429 " - tag fix_id: "F-41519r654224_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238350 ' + tag rid: 'SV-238350r654225_rule ' + tag stig_id: 'UBTU-20-010429 ' + tag fix_id: 'F-41519r654224_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == "x86_64" - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries - else - library_dirs = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type d').stdout.strip.split("\n").entries - end + library_dirs = if os.arch == 'x86_64' + command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 ! \-user root \-type d').stdout.strip.split("\n").entries + end if library_dirs.count > 0 library_dirs.each do |lib_file| describe file(lib_file) do - its("owner") { should cmp "root" } + its('owner') { should cmp 'root' } end end else - describe "Number of system-wide shared library directories found that are NOT owned by root" do + describe 'Number of system-wide shared library directories found that are NOT owned by root' do subject { library_dirs } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb index 5b20f79..59483bc 100644 --- a/controls/SV-238351.rb +++ b/controls/SV-238351.rb @@ -1,57 +1,55 @@ -# encoding: UTF-8 +control 'SV-238351' do + title 'The Ubuntu operating system library files must be group-owned by root or a system account. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238351" do - title "The Ubuntu operating system library files must be group-owned by root or a system account. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and -\"/usr/lib\" are group-owned by root, or a required system account, with the following -command: - -$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\; - + desc 'check', "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and +\"/usr/lib\" are group-owned by root, or a required system account, with the following +command: -If any system-wide shared library file is returned and is not group-owned by a required +$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\; + + +If any system-wide shared library file is returned and is not group-owned by a required system account, this is a finding. " - desc "fix", "Configure the system library files to be protected from unauthorized access. Run the -following command, replacing \"[FILE]\" with any system command file not group-owned by -\"root\" or a required system account: - + desc 'fix', "Configure the system library files to be protected from unauthorized access. Run the +following command, replacing \"[FILE]\" with any system command file not group-owned by +\"root\" or a required system account: + $ sudo chgrp root [FILE] " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238351 " - tag rid: "SV-238351r832962_rule " - tag stig_id: "UBTU-20-010430 " - tag fix_id: "F-41520r832961_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238351 ' + tag rid: 'SV-238351r832962_rule ' + tag stig_id: 'UBTU-20-010430 ' + tag fix_id: 'F-41520r832961_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == "x86_64" - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries - else - library_files = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type f').stdout.strip.split("\n").entries - end + library_files = if os.arch == 'x86_64' + command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type f').stdout.strip.split("\n").entries + end if library_files.count > 0 library_files.each do |lib_file| describe file(lib_file) do - its("group") { should cmp "root" } + its('group') { should cmp 'root' } end end else - describe "Number of system-wide shared library files found that are NOT group-owned by root" do + describe 'Number of system-wide shared library files found that are NOT group-owned by root' do subject { library_files } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb index 12c54d4..b89c6f7 100644 --- a/controls/SV-238352.rb +++ b/controls/SV-238352.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 +control 'SV-238352' do + title 'The Ubuntu operating system library directories must be group-owned by root. ' + desc "If the operating system were to allow any user to make changes to software libraries, then +those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238352" do - title "The Ubuntu operating system library directories must be group-owned by root. " - desc "If the operating system were to allow any user to make changes to software libraries, then -those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -operating systems with software libraries that are accessible and configurable, as in the -case of interpreted languages. Software libraries also include privileged programs which -execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +operating systems with software libraries that are accessible and configurable, as in the +case of interpreted languages. Software libraries also include privileged programs which +execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are -group-owned by root with the following command: - -$ sudo find /lib /usr/lib /lib64 ! -group -root -type d -exec stat -c \"%n %G\" '{}' \\; - -If any system-wide shared library directory is + desc 'check', "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are +group-owned by root with the following command: + +$ sudo find /lib /usr/lib /lib64 ! -group +root -type d -exec stat -c \"%n %G\" '{}' \\; + +If any system-wide shared library directory is returned, this is a finding. " - desc "fix", "Configure the system library directories to be protected from unauthorized access. Run the -following command: - -$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root + desc 'fix', "Configure the system library directories to be protected from unauthorized access. Run the +following command: + +$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238352 " - tag rid: "SV-238352r654231_rule " - tag stig_id: "UBTU-20-010431 " - tag fix_id: "F-41521r654230_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238352 ' + tag rid: 'SV-238352r654231_rule ' + tag stig_id: 'UBTU-20-010431 ' + tag fix_id: 'F-41521r654230_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - if os.arch == "x86_64" - library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries - else - library_directories = command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type d').stdout.strip.split("\n").entries - end + library_directories = if os.arch == 'x86_64' + command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries + else + command('find /lib /usr/lib /usr/lib32 /lib32 ! \-group root \-type d').stdout.strip.split("\n").entries + end if library_directories.count > 0 library_directories.each do |lib_file| describe file(lib_file) do - its("group") { should cmp "root" } + its('group') { should cmp 'root' } end end else - describe "Number of system-wide shared library directories found that are NOT group-owned by root" do + describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do subject { library_directories } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb index e221b44..dfac375 100644 --- a/controls/SV-238353.rb +++ b/controls/SV-238353.rb @@ -1,72 +1,70 @@ -# encoding: UTF-8 - -control "SV-238353" do - title "The Ubuntu operating system must be configured to preserve log records from failure events. " - desc "Failure to a known state can address safety or security in accordance with the -mission/business needs of the organization. Failure to a known secure state helps prevent a -loss of confidentiality, integrity, or availability in the event of a failure of the -information system or a component of the system. - -Preserving operating system state -information helps to facilitate operating system restart and return to the operational mode +control 'SV-238353' do + title 'The Ubuntu operating system must be configured to preserve log records from failure events. ' + desc "Failure to a known state can address safety or security in accordance with the +mission/business needs of the organization. Failure to a known secure state helps prevent a +loss of confidentiality, integrity, or availability in the event of a failure of the +information system or a component of the system. + +Preserving operating system state +information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes. " - desc "check", "Verify the log service is configured to collect system failure events. - -Check that the log -service is installed properly with the following command: - -$ dpkg -l | grep rsyslog - -ii -rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon - -If the \"rsyslog\" -package is not installed, this is a finding. - -Check that the log service is enabled with the -following command: - -$ systemctl is-enabled rsyslog - -enabled - -If the command above -returns \"disabled\", this is a finding. - -Check that the log service is properly running and -active on the system with the following command: - -$ systemctl is-active rsyslog - -active - + desc 'check', "Verify the log service is configured to collect system failure events. + +Check that the log +service is installed properly with the following command: + +$ dpkg -l | grep rsyslog + +ii +rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon + +If the \"rsyslog\" +package is not installed, this is a finding. + +Check that the log service is enabled with the +following command: + +$ systemctl is-enabled rsyslog + +enabled + +If the command above +returns \"disabled\", this is a finding. + +Check that the log service is properly running and +active on the system with the following command: + +$ systemctl is-active rsyslog + +active + If the command above returns \"inactive\", this is a finding. " - desc "fix", "Configure the log service to collect failure events. - -Install the log service (if the log -service is not already installed) with the following command: - -$ sudo apt-get install -rsyslog - -Enable the log service with the following command: - -$ sudo systemctl enable --now + desc 'fix', "Configure the log service to collect failure events. + +Install the log service (if the log +service is not already installed) with the following command: + +$ sudo apt-get install +rsyslog + +Enable the log service with the following command: + +$ sudo systemctl enable --now rsyslog " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000269-GPOS-00103 " - tag gid: "V-238353 " - tag rid: "SV-238353r654234_rule " - tag stig_id: "UBTU-20-010432 " - tag fix_id: "F-41522r654233_fix " - tag cci: ["CCI-001665"] - tag nist: ["SC-24"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000269-GPOS-00103 ' + tag gid: 'V-238353 ' + tag rid: 'SV-238353r654234_rule ' + tag stig_id: 'UBTU-20-010432 ' + tag fix_id: 'F-41522r654233_fix ' + tag cci: ['CCI-001665'] + tag nist: ['SC-24'] describe service('rsyslog') do it { should be_installed } it { should be_enabled } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index 1a3a736..5d12836 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -1,50 +1,48 @@ -# encoding: UTF-8 - -control "SV-238354" do - title "The Ubuntu operating system must have an application firewall installed in order to control +control 'SV-238354' do + title "The Ubuntu operating system must have an application firewall installed in order to control remote access methods. " - desc "Remote access services, such as those providing remote access to network devices and -information systems, which lack automated control capabilities, increase risk and make -remote user access management difficult at best. - -Remote access is access to DoD nonpublic -information systems by an authorized user (or an information system) communicating through -an external, non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - -Ubuntu operating system functionality -(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized -activity. Automated control of remote access sessions allows organizations to ensure -ongoing compliance with remote access policies by enforcing connection rules of remote -access applications on a variety of information system components (e.g., servers, + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). " - desc "check", "Verify that the Uncomplicated Firewall is installed with the following command: - -$ dpkg -l | -grep ufw - -ii ufw 0.36-6 - -If the \"ufw\" package is not installed, ask the System Administrator -if another application firewall is installed. - -If no application firewall is installed, + desc 'check', "Verify that the Uncomplicated Firewall is installed with the following command: + +$ dpkg -l | +grep ufw + +ii ufw 0.36-6 + +If the \"ufw\" package is not installed, ask the System Administrator +if another application firewall is installed. + +If no application firewall is installed, this is a finding. " - desc "fix", "Install the Uncomplicated Firewall by using the following command: - -$ sudo apt-get install + desc 'fix', "Install the Uncomplicated Firewall by using the following command: + +$ sudo apt-get install ufw " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000297-GPOS-00115 " - tag gid: "V-238354 " - tag rid: "SV-238354r853429_rule " - tag stig_id: "UBTU-20-010433 " - tag fix_id: "F-41523r654236_fix " - tag cci: ["CCI-002314"] - tag nist: ["AC-17 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000297-GPOS-00115 ' + tag gid: 'V-238354 ' + tag rid: 'SV-238354r853429_rule ' + tag stig_id: 'UBTU-20-010433 ' + tag fix_id: 'F-41523r654236_fix ' + tag cci: ['CCI-002314'] + tag nist: ['AC-17 (1)'] describe package('ufw') do it { should be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index 489d768..87a98a8 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 - -control "SV-238355" do - title "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). " - desc "Remote access services, such as those providing remote access to network devices and -information systems, which lack automated control capabilities, increase risk and make -remote user access management difficult at best. - -Remote access is access to DoD nonpublic -information systems by an authorized user (or an information system) communicating through -an external, non-organization-controlled network. Remote access methods include, for -example, dial-up, broadband, and wireless. - -Ubuntu operating system functionality -(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized -activity. Automated control of remote access sessions allows organizations to ensure -ongoing compliance with remote access policies by enforcing connection rules of remote -access applications on a variety of information system components (e.g., servers, +control 'SV-238355' do + title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ' + desc "Remote access services, such as those providing remote access to network devices and +information systems, which lack automated control capabilities, increase risk and make +remote user access management difficult at best. + +Remote access is access to DoD nonpublic +information systems by an authorized user (or an information system) communicating through +an external, non-organization-controlled network. Remote access methods include, for +example, dial-up, broadband, and wireless. + +Ubuntu operating system functionality +(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized +activity. Automated control of remote access sessions allows organizations to ensure +ongoing compliance with remote access policies by enforcing connection rules of remote +access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). " - desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: - - -$ systemctl is-enabled ufw - -If the above command returns the status as \"disabled\", this is -a finding. - -Verify the Uncomplicated Firewall is active on the system by running the -following command: - -$ systemctl is-active ufw - -If the above command returns \"inactive\" or -any kind of error, this is a finding. - -If the Uncomplicated Firewall is not installed, ask the -System Administrator if another application firewall is installed. - -If no application + desc 'check', "Verify the Uncomplicated Firewall is enabled on the system by running the following command: + + +$ systemctl is-enabled ufw + +If the above command returns the status as \"disabled\", this is +a finding. + +Verify the Uncomplicated Firewall is active on the system by running the +following command: + +$ systemctl is-active ufw + +If the above command returns \"inactive\" or +any kind of error, this is a finding. + +If the Uncomplicated Firewall is not installed, ask the +System Administrator if another application firewall is installed. + +If no application firewall is installed, this is a finding. " - desc "fix", "Enable the Uncomplicated Firewall by using the following command: - -$ sudo systemctl enable + desc 'fix', "Enable the Uncomplicated Firewall by using the following command: + +$ sudo systemctl enable --now ufw.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000297-GPOS-00115 " - tag gid: "V-238355 " - tag rid: "SV-238355r853430_rule " - tag stig_id: "UBTU-20-010434 " - tag fix_id: "F-41524r654239_fix " - tag cci: ["CCI-002314"] - tag nist: ["AC-17 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000297-GPOS-00115 ' + tag gid: 'V-238355 ' + tag rid: 'SV-238355r853430_rule ' + tag stig_id: 'UBTU-20-010434 ' + tag fix_id: 'F-41524r654239_fix ' + tag cci: ['CCI-002314'] + tag nist: ['AC-17 (1)'] describe service('ufw') do it { should be_installed } it { should be_enabled } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index cbf3730..f37dbc7 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -1,86 +1,84 @@ -# encoding: UTF-8 - -control "SV-238356" do - title "The Ubuntu operating system must, for networked systems, compare internal information -system clocks at least every 24 hours with a server which is synchronized to one of the -redundant United States Naval Observatory (USNO) time servers, or a time server designated -for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System +control 'SV-238356' do + title "The Ubuntu operating system must, for networked systems, compare internal information +system clocks at least every 24 hours with a server which is synchronized to one of the +redundant United States Naval Observatory (USNO) time servers, or a time server designated +for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). " - desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an -inaccurate analysis. Determining the correct time a particular event occurred on a system is -critical when conducting forensic analysis and investigating system events. Sources -outside the configured acceptable allowance (drift) may be inaccurate. - -Synchronizing -internal information system clocks provides uniformity of time stamps for information -systems with multiple system clocks and systems connected over a network. - -Organizations -should consider endpoints that may not have regular access to the authoritative time server + desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. Sources +outside the configured acceptable allowance (drift) may be inaccurate. + +Synchronizing +internal information system clocks provides uniformity of time stamps for information +systems with multiple system clocks and systems connected over a network. + +Organizations +should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). " - desc "check", "If the system is not networked, this requirement is Not Applicable. - -The system clock must be -configured to compare the system clock at least every 24 hours to the authoritative time -source. - -Check the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the -following command: - -$ sudo grep maxpoll /etc/chrony/chrony.conf -server -tick.usno.navy.mil iburst maxpoll 16 - -If the \"maxpoll\" option is set to a number greater -than 16 or the line is commented out, this is a finding. - -Verify that the \"chrony.conf\" file is -configured to an authoritative DoD time source by running the following command: - -$ grep -i -server /etc/chrony/chrony.conf -server tick.usno.navy.mil iburst maxpoll 16 -server -tock.usno.navy.mil iburst maxpoll 16 -server ntp2.usno.navy.mil iburst maxpoll 16 - -If -the parameter \"server\" is not set, is not set to an authoritative DoD time source, or is + desc 'check', "If the system is not networked, this requirement is Not Applicable. + +The system clock must be +configured to compare the system clock at least every 24 hours to the authoritative time +source. + +Check the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the +following command: + +$ sudo grep maxpoll /etc/chrony/chrony.conf +server +tick.usno.navy.mil iburst maxpoll 16 + +If the \"maxpoll\" option is set to a number greater +than 16 or the line is commented out, this is a finding. + +Verify that the \"chrony.conf\" file is +configured to an authoritative DoD time source by running the following command: + +$ grep -i +server /etc/chrony/chrony.conf +server tick.usno.navy.mil iburst maxpoll 16 +server +tock.usno.navy.mil iburst maxpoll 16 +server ntp2.usno.navy.mil iburst maxpoll 16 + +If +the parameter \"server\" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding. " - desc "fix", "If the system is not networked, this requirement is Not Applicable. - -To configure the system -clock to compare the system clock at least every 24 hours to the authoritative time source, -edit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing -\"[source]\" in the following line with an authoritative DoD time source: - -server [source] -iburst maxpoll = 16 - -If the \"chrony\" service was running and the value of \"maxpoll\" or -\"server\" was updated, the service must be restarted using the following command: - -$ sudo + desc 'fix', "If the system is not networked, this requirement is Not Applicable. + +To configure the system +clock to compare the system clock at least every 24 hours to the authoritative time source, +edit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing +\"[source]\" in the following line with an authoritative DoD time source: + +server [source] +iburst maxpoll = 16 + +If the \"chrony\" service was running and the value of \"maxpoll\" or +\"server\" was updated, the service must be restarted using the following command: + +$ sudo systemctl restart chrony.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000355-GPOS-00143 " - tag gid: "V-238356 " - tag rid: "SV-238356r853431_rule " - tag stig_id: "UBTU-20-010435 " - tag fix_id: "F-41525r808491_fix " - tag cci: ["CCI-001891"] - tag nist: ["AU-8 (1) (a)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000355-GPOS-00143 ' + tag gid: 'V-238356 ' + tag rid: 'SV-238356r853431_rule ' + tag stig_id: 'UBTU-20-010435 ' + tag fix_id: 'F-41525r808491_fix ' + tag cci: ['CCI-001891'] + tag nist: ['AU-8 (1) (a)'] is_system_networked = input('is_system_networked') - + if is_system_networked chrony_conf = input('chrony_config_file') chrony_conf_exists = file(chrony_conf).exist? - + if chrony_conf_exists - describe "time sources" do + describe 'time sources' do server_entries = command('grep "^server" /etc/chrony/chrony.conf').stdout.strip.split("\n").entries server_entries.each do |entry| @@ -100,4 +98,4 @@ skip 'This control is Not Applicable as the system is not networked' end end -end \ No newline at end of file +end diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 528dfbe..1862559 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238357" do - title "The Ubuntu operating system must synchronize internal information system clocks to the +control 'SV-238357' do + title "The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. " - desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an -inaccurate analysis. Determining the correct time a particular event occurred on a system is -critical when conducting forensic analysis and investigating system events. - + desc "Inaccurate time stamps make it more difficult to correlate events and can lead to an +inaccurate analysis. Determining the correct time a particular event occurred on a system is +critical when conducting forensic analysis and investigating system events. + + +Synchronizing internal information system clocks provides uniformity of time stamps for +information systems with multiple system clocks and systems connected over a network. +Organizations should consider setting time periods for different types of systems (e.g., +financial, legal, or mission-critical systems). -Synchronizing internal information system clocks provides uniformity of time stamps for -information systems with multiple system clocks and systems connected over a network. -Organizations should consider setting time periods for different types of systems (e.g., -financial, legal, or mission-critical systems). - -Organizations should also consider -endpoints that may not have regular access to the authoritative time server (e.g., mobile, -teleworking, and tactical endpoints). This requirement is related to the comparison done -every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the +Organizations should also consider +endpoints that may not have regular access to the authoritative time server (e.g., mobile, +teleworking, and tactical endpoints). This requirement is related to the comparison done +every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference. " - desc "check", "Verify the operating system synchronizes internal system clocks to the authoritative time -source when the time difference is greater than one second. - -Check the value of \"makestep\" by -running the following command: - -$ sudo grep makestep /etc/chrony/chrony.conf - -makestep -1 -1 - + desc 'check', "Verify the operating system synchronizes internal system clocks to the authoritative time +source when the time difference is greater than one second. + +Check the value of \"makestep\" by +running the following command: + +$ sudo grep makestep /etc/chrony/chrony.conf + +makestep +1 -1 + If the makestep option is commented out or is not set to \"1 -1\", this is a finding. " - desc "fix", "Configure chrony to synchronize the internal system clocks to the authoritative source when -the time difference is greater than one second by doing the following: - -Edit the -\"/etc/chrony/chrony.conf\" file and add: - -makestep 1 -1 - -Restart the chrony service: - -$ + desc 'fix', "Configure chrony to synchronize the internal system clocks to the authoritative source when +the time difference is greater than one second by doing the following: + +Edit the +\"/etc/chrony/chrony.conf\" file and add: + +makestep 1 -1 + +Restart the chrony service: + +$ sudo systemctl restart chrony.service " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000356-GPOS-00144 " - tag gid: "V-238357 " - tag rid: "SV-238357r853432_rule " - tag stig_id: "UBTU-20-010436 " - tag fix_id: "F-41526r654245_fix " - tag cci: ["CCI-002046"] - tag nist: ["AU-8 (1) (b)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000356-GPOS-00144 ' + tag gid: 'V-238357 ' + tag rid: 'SV-238357r853432_rule ' + tag stig_id: 'UBTU-20-010436 ' + tag fix_id: 'F-41526r654245_fix ' + tag cci: ['CCI-002046'] + tag nist: ['AU-8 (1) (b)'] chrony_file_path = input('chrony_config_file') chrony_file = file(chrony_file_path) @@ -58,12 +56,12 @@ if chrony_file.exist? describe chrony_file do subject { chrony_file } - its('content') { should match %r{^makestep 1 -1} } + its('content') { should match /^makestep 1 -1/ } end else - describe (chrony_file_path + ' exists') do + describe(chrony_file_path + ' exists') do subject { chrony_file.exist? } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index 08ecd42..fc28b81 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -1,51 +1,49 @@ -# encoding: UTF-8 - -control "SV-238358" do - title "The Ubuntu operating system must notify designated personnel if baseline configurations -are changed in an unauthorized manner. The file integrity tool must notify the System +control 'SV-238358' do + title "The Ubuntu operating system must notify designated personnel if baseline configurations +are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper " - desc "Unauthorized changes to the baseline configuration could make the system vulnerable to -various attacks or allow unauthorized access to the operating system. Changes to operating -system configurations can have unintended side effects, some of which may be relevant to -security. - -Detecting such changes and providing an automated response can help avoid -unintended, negative consequences that could ultimately affect the security state of the -operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or + desc "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the operating system. Changes to operating +system configurations can have unintended side effects, some of which may be relevant to +security. + +Detecting such changes and providing an automated response can help avoid +unintended, negative consequences that could ultimately affect the security state of the +operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. " - desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System + desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator - when anomalies in the operation of any security functions are discovered -with the following command: - -$ grep SILENTREPORTS /etc/default/aide - -SILENTREPORTS=no - - -If SILENTREPORTS is commented out, this is a finding. - -If SILENTREPORTS is set to \"yes\", -this is a finding. - + when anomalies in the operation of any security functions are discovered +with the following command: + +$ grep SILENTREPORTS /etc/default/aide + +SILENTREPORTS=no + + +If SILENTREPORTS is commented out, this is a finding. + +If SILENTREPORTS is set to \"yes\", +this is a finding. + If SILENTREPORTS is not set to \"no\", this is a finding. " - desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline -configurations are changed in an unauthorized manner. - -Modify the \"SILENTREPORTS\" + desc 'fix', "Configure the Ubuntu operating system to notify designated personnel if baseline +configurations are changed in an unauthorized manner. + +Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000363-GPOS-00150 " - tag gid: "V-238358 " - tag rid: "SV-238358r853433_rule " - tag stig_id: "UBTU-20-010437 " - tag fix_id: "F-41527r654248_fix " - tag cci: ["CCI-001744"] - tag nist: ["CM-3 (5)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000363-GPOS-00150 ' + tag gid: 'V-238358 ' + tag rid: 'SV-238358r853433_rule ' + tag stig_id: 'UBTU-20-010437 ' + tag fix_id: 'F-41527r654248_fix ' + tag cci: ['CCI-001744'] + tag nist: ['CM-3 (5)'] describe file('/etc/default/aide') do it { should exist } its('content') { should match '^SILENTREPORTS=no$' } end -end \ No newline at end of file +end diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index 224913f..bab5d01 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -1,60 +1,58 @@ -# encoding: UTF-8 - -control "SV-238359" do - title "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the -installation of patches, service packs, device drivers, or Ubuntu operating system -components without verification they have been digitally signed using a certificate that is +control 'SV-238359' do + title "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the +installation of patches, service packs, device drivers, or Ubuntu operating system +components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. " - desc "Changes to any software components can have significant effects on the overall security of -the operating system. This requirement ensures the software has not been tampered with and -that it has been provided by a trusted vendor. - -Accordingly, patches, service packs, device -drivers, or operating system components must be signed with a certificate recognized and -approved by the organization. - -Verifying the authenticity of the software prior to -installation validates the integrity of the patch or upgrade received from a vendor. This -ensures the software has not been tampered with and that it has been provided by a trusted -vendor. Self-signed certificates are disallowed by this requirement. The operating system -should not have to verify the software again. This requirement does not mandate DoD -certificates for this purpose; however, the certificate used to verify the software must be + desc "Changes to any software components can have significant effects on the overall security of +the operating system. This requirement ensures the software has not been tampered with and +that it has been provided by a trusted vendor. + +Accordingly, patches, service packs, device +drivers, or operating system components must be signed with a certificate recognized and +approved by the organization. + +Verifying the authenticity of the software prior to +installation validates the integrity of the patch or upgrade received from a vendor. This +ensures the software has not been tampered with and that it has been provided by a trusted +vendor. Self-signed certificates are disallowed by this requirement. The operating system +should not have to verify the software again. This requirement does not mandate DoD +certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. " - desc "check", "Verify that APT is configured to prevent the installation of patches, service packs, device -drivers, or Ubuntu operating system components without verification they have been -digitally signed using a certificate that is recognized and approved by the organization. - + desc 'check', "Verify that APT is configured to prevent the installation of patches, service packs, device +drivers, or Ubuntu operating system components without verification they have been +digitally signed using a certificate that is recognized and approved by the organization. + -Check that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the -following command: - -$ grep AllowUnauthenticated /etc/apt/apt.conf.d/* +Check that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the +following command: -/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\"; - +$ grep AllowUnauthenticated /etc/apt/apt.conf.d/* -If any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\", +/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\"; + + +If any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\", this is a finding. " - desc "fix", "Configure APT to prevent the installation of patches, service packs, device drivers, or -Ubuntu operating system components without verification they have been digitally signed -using a certificate that is recognized and approved by the organization. - -Remove/update -any APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\", -or remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the -\"AllowUnauthenticated\" variable to \"false\": - -APT::Get::AllowUnauthenticated + desc 'fix', "Configure APT to prevent the installation of patches, service packs, device drivers, or +Ubuntu operating system components without verification they have been digitally signed +using a certificate that is recognized and approved by the organization. + +Remove/update +any APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\", +or remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the +\"AllowUnauthenticated\" variable to \"false\": + +APT::Get::AllowUnauthenticated \"false\"; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000366-GPOS-00153 " - tag gid: "V-238359 " - tag rid: "SV-238359r853434_rule " - tag stig_id: "UBTU-20-010438 " - tag fix_id: "F-41528r654251_fix " - tag cci: ["CCI-001749"] - tag nist: ["CM-5 (3)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000366-GPOS-00153 ' + tag gid: 'V-238359 ' + tag rid: 'SV-238359r853434_rule ' + tag stig_id: 'UBTU-20-010438 ' + tag fix_id: 'F-41528r654251_fix ' + tag cci: ['CCI-001749'] + tag nist: ['CM-5 (3)'] describe directory('/etc/apt/apt.conf.d') do it { should exist } @@ -74,4 +72,4 @@ end end end -end \ No newline at end of file +end diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index ee4982e..17c5daa 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -1,79 +1,77 @@ -# encoding: UTF-8 - -control "SV-238360" do - title "The Ubuntu operating system must be configured to use AppArmor. " - desc "Control of program execution is a mechanism used to prevent execution of unauthorized -programs. Some operating systems may provide a capability that runs counter to the mission or -provides users with functionality that exceeds mission requirements. This includes -functions and services installed at the operating system-level. - -Some of the programs, -installed by default, may be harmful or may not be necessary to support essential -organizational operations (e.g., key missions, functions). Removal of executable -programs is not always possible; therefore, establishing a method of preventing program -execution is critical to maintaining a secure system baseline. - -Methods for complying with -this requirement include restricting execution of programs in certain environments, while -preventing execution in other environments; or limiting execution of certain program -functionality based on organization-defined criteria (e.g., privileges, subnets, +control 'SV-238360' do + title 'The Ubuntu operating system must be configured to use AppArmor. ' + desc "Control of program execution is a mechanism used to prevent execution of unauthorized +programs. Some operating systems may provide a capability that runs counter to the mission or +provides users with functionality that exceeds mission requirements. This includes +functions and services installed at the operating system-level. + +Some of the programs, +installed by default, may be harmful or may not be necessary to support essential +organizational operations (e.g., key missions, functions). Removal of executable +programs is not always possible; therefore, establishing a method of preventing program +execution is critical to maintaining a secure system baseline. + +Methods for complying with +this requirement include restricting execution of programs in certain environments, while +preventing execution in other environments; or limiting execution of certain program +functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). " - desc "check", "Verify the operating system prevents program execution in accordance with local policies. - - -Check that AppArmor is installed and active by running the following command, - -$ dpkg -l | -grep apparmor - -If the \"apparmor\" package is not installed, this is a finding. - -$ systemctl -is-active apparmor.service - -active - -If \"active\" is not returned, this is a finding. - -$ -systemctl is-enabled apparmor.service - -enabled - -If \"enabled\" is not returned, this is a + desc 'check', "Verify the operating system prevents program execution in accordance with local policies. + + +Check that AppArmor is installed and active by running the following command, + +$ dpkg -l | +grep apparmor + +If the \"apparmor\" package is not installed, this is a finding. + +$ systemctl +is-active apparmor.service + +active + +If \"active\" is not returned, this is a finding. + +$ +systemctl is-enabled apparmor.service + +enabled + +If \"enabled\" is not returned, this is a finding. " - desc "fix", "Install \"AppArmor\" (if it is not installed) with the following command: - -$ sudo apt-get -install apparmor - -$ sudo systemctl enable apparmor.service - -Start \"apparmor\" with the -following command: - -$ sudo systemctl start apparmor.service - -Note: AppArmor must have -properly configured profiles for applications and home directories. All configurations -will be based on the actual system setup and organization and normally are on a per role basis. + desc 'fix', "Install \"AppArmor\" (if it is not installed) with the following command: + +$ sudo apt-get +install apparmor + +$ sudo systemctl enable apparmor.service + +Start \"apparmor\" with the +following command: + +$ sudo systemctl start apparmor.service + +Note: AppArmor must have +properly configured profiles for applications and home directories. All configurations +will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000368-GPOS-00154 " - tag satisfies: ["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"] - tag gid: "V-238360 " - tag rid: "SV-238360r853435_rule " - tag stig_id: "UBTU-20-010439 " - tag fix_id: "F-41529r654254_fix " - tag cci: ["CCI-001764","CCI-001774","CCI-002165","CCI-002235"] - tag nist: ["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000368-GPOS-00154 ' + tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155) + tag gid: 'V-238360 ' + tag rid: 'SV-238360r853435_rule ' + tag stig_id: 'UBTU-20-010439 ' + tag fix_id: 'F-41529r654254_fix ' + tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235) + tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)'] describe service('apparmor') do it { should be_installed } it { should be_enabled } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index 1e91d59..a66b814 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -1,45 +1,43 @@ -# encoding: UTF-8 - -control "SV-238361" do - title "The Ubuntu operating system must allow the use of a temporary password for system logons with +control 'SV-238361' do + title "The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. " - desc "Without providing this capability, an account may be created without a password. -Non-repudiation cannot be guaranteed once an account is created if a user is not forced to -change the temporary password upon initial logon. - -Temporary passwords are typically used -to allow access when new accounts are created or passwords are changed. It is common practice -for administrators to create temporary passwords for user accounts which allow the users to + desc "Without providing this capability, an account may be created without a password. +Non-repudiation cannot be guaranteed once an account is created if a user is not forced to +change the temporary password upon initial logon. + +Temporary passwords are typically used +to allow access when new accounts are created or passwords are changed. It is common practice +for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated. " - desc "check", "Verify a policy exists that ensures when a user account is created, it is created using a method -that forces a user to change their password upon their next login. - -If a policy does not exist, + desc 'check', "Verify a policy exists that ensures when a user account is created, it is created using a method +that forces a user to change their password upon their next login. + +If a policy does not exist, this is a finding. " - desc "fix", "Create a policy that ensures when a user is created, it is created using a method that forces a -user to change their password upon their next login. - -Below are two examples of how to create a -user account that requires the user to change their password upon their next login. - -$ sudo -chage -d 0 [UserName] - -or - + desc 'fix', "Create a policy that ensures when a user is created, it is created using a method that forces a +user to change their password upon their next login. + +Below are two examples of how to create a +user account that requires the user to change their password upon their next login. + +$ sudo +chage -d 0 [UserName] + +or + $ sudo passwd -e [UserName] " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000380-GPOS-00165 " - tag gid: "V-238361 " - tag rid: "SV-238361r853436_rule " - tag stig_id: "UBTU-20-010440 " - tag fix_id: "F-41530r654257_fix " - tag cci: ["CCI-002041"] - tag nist: ["IA-5 (1) (f)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000380-GPOS-00165 ' + tag gid: 'V-238361 ' + tag rid: 'SV-238361r853436_rule ' + tag stig_id: 'UBTU-20-010440 ' + tag fix_id: 'F-41530r654257_fix ' + tag cci: ['CCI-002041'] + tag nist: ['IA-5 (1) (f)'] describe 'Manual verification required' do skip 'Manually verify if a policy exists to ensure that a method exists to force temporary users to change their password upon next login' end -end \ No newline at end of file +end diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index e09a0d5..7e44d9b 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -1,42 +1,40 @@ -# encoding: UTF-8 - -control "SV-238362" do - title "The Ubuntu operating system must be configured such that Pluggable Authentication Module +control 'SV-238362' do + title "The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. " - desc "If cached authentication information is out-of-date, the validity of the authentication + desc "If cached authentication information is out-of-date, the validity of the authentication information may be questionable. " - desc "check", "If smart card authentication is not being used on the system, this s Not Applicable. - -Verify -that PAM prohibits the use of cached authentications after one day with the following -command: - -$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf -/etc/sssd/conf.d/*.conf - -offline_credentials_expiration = 1 - -If -\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or + desc 'check', "If smart card authentication is not being used on the system, this s Not Applicable. + +Verify +that PAM prohibits the use of cached authentications after one day with the following +command: + +$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf +/etc/sssd/conf.d/*.conf + +offline_credentials_expiration = 1 + +If +\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or in a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding. " - desc "fix", "Configure PAM to prohibit the use of cached authentications after one day. Add or change the -following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\": - - -offline_credentials_expiration = 1 - -Note: It is valid for this configuration to be in a -file with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\" + desc 'fix', "Configure PAM to prohibit the use of cached authentications after one day. Add or change the +following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\": + + +offline_credentials_expiration = 1 + +Note: It is valid for this configuration to be in a +file with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\" directory instead of the \"/etc/sssd/sssd.conf\" file. " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000383-GPOS-00166 " - tag gid: "V-238362 " - tag rid: "SV-238362r853437_rule " - tag stig_id: "UBTU-20-010441 " - tag fix_id: "F-41531r654260_fix " - tag cci: ["CCI-002007"] - tag nist: ["IA-5 (13)"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000383-GPOS-00166 ' + tag gid: 'V-238362 ' + tag rid: 'SV-238362r853437_rule ' + tag stig_id: 'UBTU-20-010441 ' + tag fix_id: 'F-41531r654260_fix ' + tag cci: ['CCI-002007'] + tag nist: ['IA-5 (13)'] config_file = input('sssd_conf_path') config_file_exists = file(config_file).exist? @@ -46,9 +44,9 @@ its('offline_credentials_expiration') { should cmp '1' } end else - describe (config_file + ' exists') do + describe(config_file + ' exists') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 5537f8a..44d2cbf 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-238363" do - title "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect -classified information and for the following: to provision digital signatures, to generate -cryptographic hashes, and to protect unclassified information requiring confidentiality -and cryptographic protection in accordance with applicable federal laws, Executive +control 'SV-238363' do + title "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect +classified information and for the following: to provision digital signatures, to generate +cryptographic hashes, and to protect unclassified information requiring confidentiality +and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. " - desc "Use of weak or untested encryption algorithms undermines the purposes of utilizing -encryption to protect data. The operating system must implement cryptographic modules -adhering to the higher standards approved by the federal government since this provides + desc "Use of weak or untested encryption algorithms undermines the purposes of utilizing +encryption to protect data. The operating system must implement cryptographic modules +adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. " - desc "check", "Verify the system is configured to run in FIPS mode with the following command: - -$ grep -i 1 -/proc/sys/crypto/fips_enabled -1 - + desc 'check', "Verify the system is configured to run in FIPS mode with the following command: + +$ grep -i 1 +/proc/sys/crypto/fips_enabled +1 + If a value of \"1\" is not returned, this is a finding. " - desc "fix", "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the -Ubuntu operating systems install. - -Enabling a FIPS mode on a pre-existing system involves a -number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS -140-2 security policy document for instructions. - -A subscription to the \"Ubuntu -Advantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and + desc 'fix', "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the +Ubuntu operating systems install. + +Enabling a FIPS mode on a pre-existing system involves a +number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS +140-2 security policy document for instructions. + +A subscription to the \"Ubuntu +Advantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS. " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000396-GPOS-00176 " - tag satisfies: ["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"] - tag gid: "V-238363 " - tag rid: "SV-238363r853438_rule " - tag stig_id: "UBTU-20-010442 " - tag fix_id: "F-41532r654263_fix " - tag cci: ["CCI-002450"] - tag nist: ["SC-13 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000396-GPOS-00176 ' + tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223) + tag gid: 'V-238363 ' + tag rid: 'SV-238363r853438_rule ' + tag stig_id: 'UBTU-20-010442 ' + tag fix_id: 'F-41532r654263_fix ' + tag cci: ['CCI-002450'] + tag nist: ['SC-13 b'] config_file = input('fips_config_file') config_file_exists = file(config_file).exist? if config_file_exists describe file(config_file) do - its('content') { should match %r{\A1\Z} } + its('content') { should match /\A1\Z/ } end else - describe ('FIPS is enabled') do + describe('FIPS is enabled') do subject { config_file_exists } it { should be true } end end -end \ No newline at end of file +end diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index 699ffad..88b59e9 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -1,65 +1,63 @@ -# encoding: UTF-8 - -control "SV-238364" do - title "The Ubuntu operating system must only allow the use of DoD PKI-established certificate +control 'SV-238364' do + title "The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. " - desc "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by -organizations or individuals that seek to compromise DoD systems or by organizations with -insufficient security controls. If the CA used for verifying the certificate is not a -DoD-approved CA, trust of this CA has not been established. - -The DoD will only accept -PKI-certificates obtained from a DoD-approved internal or external certificate -authority. Reliance on CAs for the establishment of secure sessions includes, for example, + desc "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by +organizations or individuals that seek to compromise DoD systems or by organizations with +insufficient security controls. If the CA used for verifying the certificate is not a +DoD-approved CA, trust of this CA has not been established. + +The DoD will only accept +PKI-certificates obtained from a DoD-approved internal or external certificate +authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. " - desc "check", "Verify the directory containing the root certificates for the Ubuntu operating system -(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate -authorities. - -Determine if \"/etc/ssl/certs\" only contains certificate files whose -sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities -with the following command: - -$ for f in $(realpath /etc/ssl/certs/*); do openssl x509 --sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; -done - + desc 'check', "Verify the directory containing the root certificates for the Ubuntu operating system +(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate +authorities. + +Determine if \"/etc/ssl/certs\" only contains certificate files whose +sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities +with the following command: + +$ for f in $(realpath /etc/ssl/certs/*); do openssl x509 +-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; +done + If any entry is found, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to only allow the use of DoD PKI-established -certificate authorities for verification of the establishment of protected sessions. - + desc 'fix', "Configure the Ubuntu operating system to only allow the use of DoD PKI-established +certificate authorities for verification of the establishment of protected sessions. + + +Edit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of +all uncommented lines that do not start with the \"!\" character with the following command: + +$ +sudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf + +Add at least one DoD +certificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM +format. + +Update the \"/etc/ssl/certs\" directory with the following command: -Edit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of -all uncommented lines that do not start with the \"!\" character with the following command: - -$ -sudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf - -Add at least one DoD -certificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM -format. - -Update the \"/etc/ssl/certs\" directory with the following command: - -$ sudo +$ sudo update-ca-certificates " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000403-GPOS-00182 " - tag gid: "V-238364 " - tag rid: "SV-238364r860824_rule " - tag stig_id: "UBTU-20-010443 " - tag fix_id: "F-41533r860823_fix " - tag cci: ["CCI-002470"] - tag nist: ["SC-23 (5)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000403-GPOS-00182 ' + tag gid: 'V-238364 ' + tag rid: 'SV-238364r860824_rule ' + tag stig_id: 'UBTU-20-010443 ' + tag fix_id: 'F-41533r860823_fix ' + tag cci: ['CCI-002470'] + tag nist: ['SC-23 (5)'] allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex') - find_command = """ - for f in $(find -L /etc/ssl/certs -type f); do + find_command = ''" + for f in $(find -L /etc/ssl/certs -type f); do openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}' done - """ + "'' describe command(find_command) do - its("stdout") { should cmp "" } + its('stdout') { should cmp '' } end -end \ No newline at end of file +end diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 15ac33c..6f71a32 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 - -control "SV-238365" do - title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized +control 'SV-238365' do + title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. " - desc "Operating systems handling data requiring \"data at rest\" protections must employ -cryptographic mechanisms to prevent unauthorized disclosure and modification of the -information at rest. - -Selection of a cryptographic mechanism is based on the need to protect -the integrity of organizational information. The strength of the mechanism is commensurate -with the security category and/or classification of the information. Organizations have -the flexibility to either encrypt all information on storage devices (i.e., full disk + desc "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). " - desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this -requirement is Not Applicable. - -Verify the Ubuntu operating system prevents unauthorized -disclosure or modification of all information requiring at-rest protection by using disk -encryption. - -Determine the partition layout for the system with the following command: - -$ -sudo fdisk -l -(..) -Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors -Units: -sectors of 1 * 512 = 512 bytes -Sector size (logical/physical): 512 bytes / 512 bytes -I/O size -(minimum/optimal): 512 bytes / 512 bytes -Disklabel type: gpt -Disk identifier: -83298450-B4E3-4B19-A9E4-7DF147A5FEFB - -Device Start End Sectors Size Type -/dev/vda1 -2048 4095 2048 1M BIOS boot -/dev/vda2 4096 2101247 2097152 1G Linux filesystem -/dev/vda3 -2101248 31455231 29353984 14G Linux filesystem -(...) - -Verify that the system partitions -are all encrypted with the following command: - -$ more /etc/crypttab - -Every persistent -disk partition present must have an entry in the file. - -If any partitions other than the boot + desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + +$ +sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB + +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify that the system partitions +are all encrypted with the following command: + +$ more /etc/crypttab + +Every persistent +disk partition present must have an entry in the file. + +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + - -Note: Encrypting a partition in an already-installed system is more difficult because it +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000404-GPOS-00183 " - tag gid: "V-238365 " - tag rid: "SV-238365r853442_rule " - tag stig_id: "UBTU-20-010444 " - tag fix_id: "F-41534r654269_fix " - tag cci: ["CCI-002475"] - tag nist: ["SC-28 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000404-GPOS-00183 ' + tag gid: 'V-238365 ' + tag rid: 'SV-238365r853442_rule ' + tag stig_id: 'UBTU-20-010444 ' + tag fix_id: 'F-41534r654269_fix ' + tag cci: ['CCI-002475'] + tag nist: ['SC-28 (1)'] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end \ No newline at end of file +end diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index 66c7038..28e309c 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -1,73 +1,71 @@ -# encoding: UTF-8 - -control "SV-238366" do - title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized +control 'SV-238366' do + title "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. " - desc "Operating systems handling data requiring \"data at rest\" protections must employ -cryptographic mechanisms to prevent unauthorized disclosure and modification of the -information at rest. - -Selection of a cryptographic mechanism is based on the need to protect -the integrity of organizational information. The strength of the mechanism is commensurate -with the security category and/or classification of the information. Organizations have -the flexibility to either encrypt all information on storage devices (i.e., full disk + desc "Operating systems handling data requiring \"data at rest\" protections must employ +cryptographic mechanisms to prevent unauthorized disclosure and modification of the +information at rest. + +Selection of a cryptographic mechanism is based on the need to protect +the integrity of organizational information. The strength of the mechanism is commensurate +with the security category and/or classification of the information. Organizations have +the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). " - desc "check", "If there is a documented and approved reason for not having data-at-rest encryption, this -requirement is Not Applicable. - -Verify the Ubuntu operating system prevents unauthorized -disclosure or modification of all information requiring at-rest protection by using disk -encryption. - -Determine the partition layout for the system with the following command: - + desc 'check', "If there is a documented and approved reason for not having data-at-rest encryption, this +requirement is Not Applicable. + +Verify the Ubuntu operating system prevents unauthorized +disclosure or modification of all information requiring at-rest protection by using disk +encryption. + +Determine the partition layout for the system with the following command: + + +$sudo fdisk -l +(..) +Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors +Units: +sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size +(minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: +83298450-B4E3-4B19-A9E4-7DF147A5FEFB -$sudo fdisk -l -(..) -Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors -Units: -sectors of 1 * 512 = 512 bytes -Sector size (logical/physical): 512 bytes / 512 bytes -I/O size -(minimum/optimal): 512 bytes / 512 bytes -Disklabel type: gpt -Disk identifier: -83298450-B4E3-4B19-A9E4-7DF147A5FEFB - -Device Start End Sectors Size Type -/dev/vda1 -2048 4095 2048 1M BIOS boot -/dev/vda2 4096 2101247 2097152 1G Linux filesystem -/dev/vda3 -2101248 31455231 29353984 14G Linux filesystem -(...) - -Verify that the system partitions -are all encrypted with the following command: - -$ more /etc/crypttab - -Every persistent -disk partition present must have an entry in the file. - -If any partitions other than the boot +Device Start End Sectors Size Type +/dev/vda1 +2048 4095 2048 1M BIOS boot +/dev/vda2 4096 2101247 2097152 1G Linux filesystem +/dev/vda3 +2101248 31455231 29353984 14G Linux filesystem +(...) + +Verify that the system partitions +are all encrypted with the following command: + +$ more /etc/crypttab + +Every persistent +disk partition present must have an entry in the file. + +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. " - desc "fix", "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + desc 'fix', "To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + - -Note: Encrypting a partition in an already-installed system is more difficult because it +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000405-GPOS-00184 " - tag gid: "V-238366 " - tag rid: "SV-238366r853443_rule " - tag stig_id: "UBTU-20-010445 " - tag fix_id: "F-41535r654272_fix " - tag cci: ["CCI-002476"] - tag nist: ["SC-28 (1)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000405-GPOS-00184 ' + tag gid: 'V-238366 ' + tag rid: 'SV-238366r853443_rule ' + tag stig_id: 'UBTU-20-010445 ' + tag fix_id: 'F-41535r654272_fix ' + tag cci: ['CCI-002476'] + tag nist: ['SC-28 (1)'] describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' end -end \ No newline at end of file +end diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index e3a6efa..43a6a10 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -1,81 +1,79 @@ -# encoding: UTF-8 - -control "SV-238367" do - title "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit +control 'SV-238367' do + title "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. " - desc "Denial of service (DoS) is a condition when a resource is not available for legitimate users. -When this occurs, the organization either cannot accomplish its mission or must operate at -degraded capacity. - -This requirement addresses the configuration of the operating system -to mitigate the impact of DoS attacks that have occurred or are ongoing on system -availability. For each system, known and potential DoS attacks must be identified and -solutions for each type implemented. A variety of technologies exist to limit or, in some -cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing -memory partitions). Employing increased capacity and bandwidth, combined with service + desc "Denial of service (DoS) is a condition when a resource is not available for legitimate users. +When this occurs, the organization either cannot accomplish its mission or must operate at +degraded capacity. + +This requirement addresses the configuration of the operating system +to mitigate the impact of DoS attacks that have occurred or are ongoing on system +availability. For each system, known and potential DoS attacks must be identified and +solutions for each type implemented. A variety of technologies exist to limit or, in some +cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing +memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. " - desc "check", "Verify an application firewall is configured to rate limit any connection to the system. - - -Check all the services listening to the ports with the following command: - -$ sudo ss -l46ut - - -Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process -tcp LISTEN 0 128 -[::]:ssh [::]:* - -For each entry, verify that the Uncomplicated Firewall is configured to -rate limit the service ports with the following command: - -$ sudo ufw status - -Status: active - - -To Action From --- ------ ---- -22/tcp LIMIT Anywhere -22/tcp (v6) LIMIT Anywhere (v6) - -If + desc 'check', "Verify an application firewall is configured to rate limit any connection to the system. + + +Check all the services listening to the ports with the following command: + +$ sudo ss -l46ut + + +Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process +tcp LISTEN 0 128 +[::]:ssh [::]:* + +For each entry, verify that the Uncomplicated Firewall is configured to +rate limit the service ports with the following command: + +$ sudo ufw status + +Status: active + + +To Action From +-- ------ ---- +22/tcp LIMIT Anywhere +22/tcp (v6) LIMIT Anywhere (v6) + +If any port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding. " - desc "fix", "Configure the application firewall to protect against or limit the effects of DoS attacks by -ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted -network interfaces. - -Check all the services listening to the ports with the following -command: - -$ sudo ss -l46ut - -Netid State Recv-Q Send-Q Local Address:Port Peer -Address:Port Process -tcp LISTEN 0 128 [::]:ssh [::]:* - -For each service with a port -listening to connections, run the following command, replacing \"[service]\" with the -service that needs to be rate limited. - -$ sudo ufw limit [service] - -Rate-limiting can also -be done on an interface. An example of adding a rate-limit on the eth0 interface follows: - -$ + desc 'fix', "Configure the application firewall to protect against or limit the effects of DoS attacks by +ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted +network interfaces. + +Check all the services listening to the ports with the following +command: + +$ sudo ss -l46ut + +Netid State Recv-Q Send-Q Local Address:Port Peer +Address:Port Process +tcp LISTEN 0 128 [::]:ssh [::]:* + +For each service with a port +listening to connections, run the following command, replacing \"[service]\" with the +service that needs to be rate limited. + +$ sudo ufw limit [service] + +Rate-limiting can also +be done on an interface. An example of adding a rate-limit on the eth0 interface follows: + +$ sudo ufw limit in on eth0 " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000420-GPOS-00186 " - tag gid: "V-238367 " - tag rid: "SV-238367r853444_rule " - tag stig_id: "UBTU-20-010446 " - tag fix_id: "F-41536r654275_fix " - tag cci: ["CCI-002385"] - tag nist: ["SC-5 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000420-GPOS-00186 ' + tag gid: 'V-238367 ' + tag rid: 'SV-238367r853444_rule ' + tag stig_id: 'UBTU-20-010446 ' + tag fix_id: 'F-41536r654275_fix ' + tag cci: ['CCI-002385'] + tag nist: ['SC-5 a'] describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' end -end \ No newline at end of file +end diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 4ed437e..8e49e32 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238368" do - title "The Ubuntu operating system must implement non-executable data to protect its memory from +control 'SV-238368' do + title "The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution. " - desc "Some adversaries launch attacks with the intent of executing code in non-executable regions -of memory or in memory locations that are prohibited. Security safeguards employed to -protect memory include, for example, data execution prevention and address space layout -randomization. Data execution prevention safeguards can either be hardware-enforced or -software-enforced with hardware providing the greater strength of mechanism. - -Examples + desc "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. " - desc "check", "Verify the NX (no-execution) bit flag is set on the system with the following commands: - -$ -dmesg | grep -i \"execute disable\" -[ 0.000000] NX (Execute Disable) protection: active - -If -\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings -with the following command: - -$ grep flags /proc/cpuinfo | grep -w nx | sort -u -flags : fpu vme -de pse tsc ms nx rdtscp lm constant_tsc - -If \"flags\" does not contain the \"nx\" flag, this is a + desc 'check', "Verify the NX (no-execution) bit flag is set on the system with the following commands: + +$ +dmesg | grep -i \"execute disable\" +[ 0.000000] NX (Execute Disable) protection: active + +If +\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings +with the following command: + +$ grep flags /proc/cpuinfo | grep -w nx | sort -u +flags : fpu vme +de pse tsc ms nx rdtscp lm constant_tsc + +If \"flags\" does not contain the \"nx\" flag, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to enable NX. - -If \"nx\" is not showing up in -\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No + desc 'fix', "Configure the Ubuntu operating system to enable NX. + +If \"nx\" is not showing up in +\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No Execution bit, set it to \"enable\". " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000433-GPOS-00192 " - tag gid: "V-238368 " - tag rid: "SV-238368r853445_rule " - tag stig_id: "UBTU-20-010447 " - tag fix_id: "F-41537r654278_fix " - tag cci: ["CCI-002824"] - tag nist: ["SI-16"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000433-GPOS-00192 ' + tag gid: 'V-238368 ' + tag rid: 'SV-238368r853445_rule ' + tag stig_id: 'UBTU-20-010447 ' + tag fix_id: 'F-41537r654278_fix ' + tag cci: ['CCI-002824'] + tag nist: ['SI-16'] options = { - assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/ + assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, } describe.one do describe command('dmesg | grep NX').stdout.strip do @@ -53,4 +51,4 @@ it { should include 'nx' } end end -end \ No newline at end of file +end diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index a896292..5f6dcd4 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -1,62 +1,60 @@ -# encoding: UTF-8 - -control "SV-238369" do - title "The Ubuntu operating system must implement address space layout randomization to protect +control 'SV-238369' do + title "The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution. " - desc "Some adversaries launch attacks with the intent of executing code in non-executable regions -of memory or in memory locations that are prohibited. Security safeguards employed to -protect memory include, for example, data execution prevention and address space layout -randomization. Data execution prevention safeguards can either be hardware-enforced or -software-enforced with hardware providing the greater strength of mechanism. - -Examples + desc "Some adversaries launch attacks with the intent of executing code in non-executable regions +of memory or in memory locations that are prohibited. Security safeguards employed to +protect memory include, for example, data execution prevention and address space layout +randomization. Data execution prevention safeguards can either be hardware-enforced or +software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks. " - desc "check", "Verify the Ubuntu operating system implements address space layout randomization (ASLR) -with the following command: - -$ sudo sysctl kernel.randomize_va_space - - -kernel.randomize_va_space = 2 - -If nothing is returned, verify the kernel parameter -\"randomize_va_space\" is set to \"2\" with the following command: - -$ cat -/proc/sys/kernel/randomize_va_space - -2 - -If \"kernel.randomize_va_space\" is not set to -\"2\", this is a finding. - -Verify that a saved value of the \"kernel.randomize_va_space\" -variable is not defined. - -$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\" -/etc/sysctl.conf /etc/sysctl.d - + desc 'check', "Verify the Ubuntu operating system implements address space layout randomization (ASLR) +with the following command: + +$ sudo sysctl kernel.randomize_va_space + + +kernel.randomize_va_space = 2 + +If nothing is returned, verify the kernel parameter +\"randomize_va_space\" is set to \"2\" with the following command: + +$ cat +/proc/sys/kernel/randomize_va_space + +2 + +If \"kernel.randomize_va_space\" is not set to +\"2\", this is a finding. + +Verify that a saved value of the \"kernel.randomize_va_space\" +variable is not defined. + +$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\" +/etc/sysctl.conf /etc/sysctl.d + If this returns a result, this is a finding. " - desc "fix", "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any -file located in the \"/etc/sysctl.d/\" directory. - -After the line has been removed, the -kernel settings from all system configuration files must be reloaded before any of the -changes will take effect. Run the following command to reload all of the kernel system -configuration files: - + desc 'fix', "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any +file located in the \"/etc/sysctl.d/\" directory. + +After the line has been removed, the +kernel settings from all system configuration files must be reloaded before any of the +changes will take effect. Run the following command to reload all of the kernel system +configuration files: + $ sudo sysctl --system " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000433-GPOS-00193 " - tag gid: "V-238369 " - tag rid: "SV-238369r853446_rule " - tag stig_id: "UBTU-20-010448 " - tag fix_id: "F-41538r654281_fix " - tag cci: ["CCI-002824"] - tag nist: ["SI-16"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000433-GPOS-00193 ' + tag gid: 'V-238369 ' + tag rid: 'SV-238369r853446_rule ' + tag stig_id: 'UBTU-20-010448 ' + tag fix_id: 'F-41538r654281_fix ' + tag cci: ['CCI-002824'] + tag nist: ['SI-16'] describe kernel_parameter('kernel.randomize_va_space') do its('value') { should cmp 2 } end -end \ No newline at end of file +end diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index 18537d3..d1da2f9 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -1,44 +1,42 @@ -# encoding: UTF-8 - -control "SV-238370" do - title "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all +control 'SV-238370' do + title "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed. " - desc "Previous versions of software components that are not removed from the information system -after updates have been installed may be exploited by adversaries. Some information -technology products may remove older versions of software automatically from the + desc "Previous versions of software components that are not removed from the information system +after updates have been installed may be exploited by adversaries. Some information +technology products may remove older versions of software automatically from the information system. " - desc "check", "Verify is configured to remove all software components after updated versions have been -installed with the following command: - -$ grep -i remove-unused -/etc/apt/apt.conf.d/50unattended-upgrades - -Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; - -Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; - -If the -\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are + desc 'check', "Verify is configured to remove all software components after updated versions have been +installed with the following command: + +$ grep -i remove-unused +/etc/apt/apt.conf.d/50unattended-upgrades + +Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; + +Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; + +If the +\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are not set to \"true\" or are missing or commented out, this is a finding. " - desc "fix", "Configure APT to remove all software components after updated versions have been installed. + desc 'fix', "Configure APT to remove all software components after updated versions have been installed. + + +Add or updated the following options to the +\"/etc/apt/apt.conf.d/50unattended-upgrades\" file: - -Add or updated the following options to the -\"/etc/apt/apt.conf.d/50unattended-upgrades\" file: - -Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; +Unattended-Upgrade::Remove-Unused-Dependencies \"true\"; Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\"; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000437-GPOS-00194 " - tag gid: "V-238370 " - tag rid: "SV-238370r853447_rule " - tag stig_id: "UBTU-20-010449 " - tag fix_id: "F-41539r654284_fix " - tag cci: ["CCI-002617"] - tag nist: ["SI-2 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000437-GPOS-00194 ' + tag gid: 'V-238370 ' + tag rid: 'SV-238370r853447_rule ' + tag stig_id: 'UBTU-20-010449 ' + tag fix_id: 'F-41539r654284_fix ' + tag cci: ['CCI-002617'] + tag nist: ['SI-2 (6)'] describe directory('/etc/apt/apt.conf.d') do it { should exist } @@ -48,4 +46,4 @@ it { should match /^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/ } it { should match /^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/ } end -end \ No newline at end of file +end diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index 5453bcc..11a8b3b 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238371" do - title "The Ubuntu operating system must use a file integrity tool to verify correct operation of all +control 'SV-238371' do + title "The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions. " - desc "Without verification of the security functions, security functions may not operate -correctly and the failure may go unnoticed. Security function is defined as the hardware, -software, and/or firmware of the information system responsible for enforcing the system -security policy and supporting the isolation of code and data on which the protection is -based. Security functionality includes, but is not limited to, establishing system -accounts, configuring access authorizations (i.e., permissions, privileges), setting -events to be audited, and setting intrusion detection parameters. - -This requirement -applies to the Ubuntu operating system performing security function verification/testing + desc "Without verification of the security functions, security functions may not operate +correctly and the failure may go unnoticed. Security function is defined as the hardware, +software, and/or firmware of the information system responsible for enforcing the system +security policy and supporting the isolation of code and data on which the protection is +based. Security functionality includes, but is not limited to, establishing system +accounts, configuring access authorizations (i.e., permissions, privileges), setting +events to be audited, and setting intrusion detection parameters. + +This requirement +applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality. " - desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the -correct operation of all security functions. - -Check that the AIDE package is installed with -the following command: - -$ sudo dpkg -l | grep aide -ii aide 0.16.1-1build2 amd64 Advanced -Intrusion Detection Environment - static binary - -If AIDE is not installed, ask the System -Administrator how file integrity checks are performed on the system. - -If no application is + desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the +correct operation of all security functions. + +Check that the AIDE package is installed with +the following command: + +$ sudo dpkg -l | grep aide +ii aide 0.16.1-1build2 amd64 Advanced +Intrusion Detection Environment - static binary + +If AIDE is not installed, ask the System +Administrator how file integrity checks are performed on the system. + +If no application is installed to perform integrity checks, this is a finding. " - desc "fix", "Install the AIDE package by running the following command: - + desc 'fix', "Install the AIDE package by running the following command: + $ sudo apt-get install aide " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000445-GPOS-00199 " - tag gid: "V-238371 " - tag rid: "SV-238371r853448_rule " - tag stig_id: "UBTU-20-010450 " - tag fix_id: "F-41540r654287_fix " - tag cci: ["CCI-002696"] - tag nist: ["SI-6 a"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000445-GPOS-00199 ' + tag gid: 'V-238371 ' + tag rid: 'SV-238371r853448_rule ' + tag stig_id: 'UBTU-20-010450 ' + tag fix_id: 'F-41540r654287_fix ' + tag cci: ['CCI-002696'] + tag nist: ['SI-6 a'] describe package('aide') do it { should be_installed } end -end \ No newline at end of file +end diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index 48a3b3e..ba57f0c 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -1,48 +1,46 @@ -# encoding: UTF-8 - -control "SV-238372" do - title "The Ubuntu operating system must notify designated personnel if baseline configurations -are changed in an unauthorized manner. The file integrity tool must notify the System -Administrator when changes to the baseline configuration or anomalies in the operation of +control 'SV-238372' do + title "The Ubuntu operating system must notify designated personnel if baseline configurations +are changed in an unauthorized manner. The file integrity tool must notify the System +Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered. " - desc "Unauthorized changes to the baseline configuration could make the system vulnerable to -various attacks or allow unauthorized access to the Ubuntu operating system. Changes to -Ubuntu operating system configurations can have unintended side effects, some of which may -be relevant to security. - -Detecting such changes and providing an automated response can -help avoid unintended, negative consequences that could ultimately affect the security -state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be -notified via email and/or monitoring system trap when there is an unauthorized modification + desc "Unauthorized changes to the baseline configuration could make the system vulnerable to +various attacks or allow unauthorized access to the Ubuntu operating system. Changes to +Ubuntu operating system configurations can have unintended side effects, some of which may +be relevant to security. + +Detecting such changes and providing an automated response can +help avoid unintended, negative consequences that could ultimately affect the security +state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be +notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. " - desc "check", "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System + desc 'check', "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator - when anomalies in the operation of any security functions are discovered -with the following command: - -$ sudo grep SILENTREPORTS /etc/default/aide - + when anomalies in the operation of any security functions are discovered +with the following command: + +$ sudo grep SILENTREPORTS /etc/default/aide + + +SILENTREPORTS=no -SILENTREPORTS=no - If SILENTREPORTS is uncommented and set to \"yes\", this is a finding. " - desc "fix", "Configure the Ubuntu operating system to notify designated personnel if baseline -configurations are changed in an unauthorized manner. - -Modify the \"SILENTREPORTS\" + desc 'fix', "Configure the Ubuntu operating system to notify designated personnel if baseline +configurations are changed in an unauthorized manner. + +Modify the \"SILENTREPORTS\" parameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist. " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000447-GPOS-00201 " - tag gid: "V-238372 " - tag rid: "SV-238372r853449_rule " - tag stig_id: "UBTU-20-010451 " - tag fix_id: "F-41541r654290_fix " - tag cci: ["CCI-002702"] - tag nist: ["SI-6 d"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000447-GPOS-00201 ' + tag gid: 'V-238372 ' + tag rid: 'SV-238372r853449_rule ' + tag stig_id: 'UBTU-20-010451 ' + tag fix_id: 'F-41541r654290_fix ' + tag cci: ['CCI-002702'] + tag nist: ['SI-6 d'] describe file('/etc/default/aide') do it { should exist } its('content') { should match '^SILENTREPORTS=no$' } end -end \ No newline at end of file +end diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 285cbbc..fc0e79a 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -1,49 +1,47 @@ -# encoding: UTF-8 - -control "SV-238373" do - title "The Ubuntu operating system must display the date and time of the last successful account +control 'SV-238373' do + title "The Ubuntu operating system must display the date and time of the last successful account logon upon logon. " - desc "Configuration settings are the set of parameters that can be changed in hardware, software, -or firmware components of the system that affect the security posture and/or functionality -of the system. Security-related parameters are those parameters impacting the security -state of the system, including the parameters required to satisfy other security control -requirements. Security-related parameters include, for example: registry settings; -account, file, directory permission settings; and settings for functions, ports, + desc "Configuration settings are the set of parameters that can be changed in hardware, software, +or firmware components of the system that affect the security posture and/or functionality +of the system. Security-related parameters are those parameters impacting the security +state of the system, including the parameters required to satisfy other security control +requirements. Security-related parameters include, for example: registry settings; +account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections. " - desc "check", "Verify users are provided with feedback on when account accesses last occurred. - -Check that -\"pam_lastlog\" is used and not silent with the following command: - -$ grep pam_lastlog -/etc/pam.d/login - -session required pam_lastlog.so showfailed - -If \"pam_lastlog\" is -missing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present, + desc 'check', "Verify users are provided with feedback on when account accesses last occurred. + +Check that +\"pam_lastlog\" is used and not silent with the following command: + +$ grep pam_lastlog +/etc/pam.d/login + +session required pam_lastlog.so showfailed + +If \"pam_lastlog\" is +missing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to provide users with feedback on when account -accesses last occurred by setting the required configuration options in -\"/etc/pam.d/login\". - -Add the following line to the top of \"/etc/pam.d/login\": - -session + desc 'fix', "Configure the Ubuntu operating system to provide users with feedback on when account +accesses last occurred by setting the required configuration options in +\"/etc/pam.d/login\". + +Add the following line to the top of \"/etc/pam.d/login\": + +session required pam_lastlog.so showfailed " impact 0.3 - tag severity: "low " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-238373 " - tag rid: "SV-238373r858539_rule " - tag stig_id: "UBTU-20-010453 " - tag fix_id: "F-41542r654293_fix " - tag cci: ["CCI-000052"] - tag nist: ["AC-9"] + tag severity: 'low ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-238373 ' + tag rid: 'SV-238373r858539_rule ' + tag stig_id: 'UBTU-20-010453 ' + tag fix_id: 'F-41542r654293_fix ' + tag cci: ['CCI-000052'] + tag nist: ['AC-9'] describe command('grep pam_lastlog /etc/pam.d/login') do its('exit_status') { should eq 0 } its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } end -end \ No newline at end of file +end diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb index ea193aa..086ecf6 100644 --- a/controls/SV-238374.rb +++ b/controls/SV-238374.rb @@ -1,46 +1,44 @@ -# encoding: UTF-8 - -control "SV-238374" do - title "The Ubuntu operating system must have an application firewall enabled. " - desc "Firewalls protect computers from network attacks by blocking or limiting access to open -network ports. Application firewalls limit which applications are allowed to communicate +control 'SV-238374' do + title 'The Ubuntu operating system must have an application firewall enabled. ' + desc "Firewalls protect computers from network attacks by blocking or limiting access to open +network ports. Application firewalls limit which applications are allowed to communicate over the network. " - desc "check", "Verify the Uncomplicated Firewall is enabled on the system by running the following command: - - -$ systemctl status ufw.service | grep -i \"active:\" - -Active: active (exited) since Mon -2016-10-17 12:30:29 CDT; 1s ago - -If the above command returns the status as \"inactive\", this -is a finding. - -If the Uncomplicated Firewall is not installed, ask the System Administrator -if another application firewall is installed. If no application firewall is installed, this + desc 'check', "Verify the Uncomplicated Firewall is enabled on the system by running the following command: + + +$ systemctl status ufw.service | grep -i \"active:\" + +Active: active (exited) since Mon +2016-10-17 12:30:29 CDT; 1s ago + +If the above command returns the status as \"inactive\", this +is a finding. + +If the Uncomplicated Firewall is not installed, ask the System Administrator +if another application firewall is installed. If no application firewall is installed, this is a finding. " - desc "fix", "Enable the Uncomplicated Firewall by using the following command: - -$ sudo systemctl enable -ufw.service - -If the Uncomplicated Firewall is not currently running on the system, start it -with the following command: - + desc 'fix', "Enable the Uncomplicated Firewall by using the following command: + +$ sudo systemctl enable +ufw.service + +If the Uncomplicated Firewall is not currently running on the system, start it +with the following command: + $ sudo systemctl start ufw.service " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000480-GPOS-00232 " - tag gid: "V-238374 " - tag rid: "SV-238374r654297_rule " - tag stig_id: "UBTU-20-010454 " - tag fix_id: "F-41543r654296_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000480-GPOS-00232 ' + tag gid: 'V-238374 ' + tag rid: 'SV-238374r654297_rule ' + tag stig_id: 'UBTU-20-010454 ' + tag fix_id: 'F-41543r654296_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe service('ufw') do it { should be_installed } it { should be_enabled } it { should be_running } end -end \ No newline at end of file +end diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb index f2d5ac1..5736f99 100644 --- a/controls/SV-238376.rb +++ b/controls/SV-238376.rb @@ -1,52 +1,50 @@ -# encoding: UTF-8 +control 'SV-238376' do + title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ' + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238376" do - title "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. " - desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, -then those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -Ubuntu operating systems with software libraries that are accessible and configurable, as -in the case of interpreted languages. Software libraries also include privileged programs -which execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system commands contained in the following directories have mode 0755 or less -permissive: - -/bin -/sbin -/usr/bin -/usr/sbin -/usr/local/bin -/usr/local/sbin - + desc 'check', "Verify the system commands contained in the following directories have mode 0755 or less +permissive: -Check that the system command files have mode 0755 or less permissive with the following -command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm -/022 -type f -exec stat -c \"%n %a\" '{}' \\; - -If any files are found to be group-writable or +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin +/usr/local/sbin + + +Check that the system command files have mode 0755 or less permissive with the following +command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm +/022 -type f -exec stat -c \"%n %a\" '{}' \\; + +If any files are found to be group-writable or world-writable, this is a finding. " - desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following -command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm + desc 'fix', "Configure the system commands to be protected from unauthorized access. Run the following +command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \\; " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238376 " - tag rid: "SV-238376r654303_rule " - tag stig_id: "UBTU-20-010456 " - tag fix_id: "F-41545r654302_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238376 ' + tag rid: 'SV-238376r654303_rule ' + tag stig_id: 'UBTU-20-010456 ' + tag fix_id: 'F-41545r654302_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f").stdout.strip.split("\n").entries + system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -60,13 +58,13 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } + it { should_not be_more_permissive_than('0755') } end end else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755" do + describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb index 6cdb5a2..486d94e 100644 --- a/controls/SV-238377.rb +++ b/controls/SV-238377.rb @@ -1,52 +1,50 @@ -# encoding: UTF-8 +control 'SV-238377' do + title 'The Ubuntu operating system must have system commands owned by root or a system account. ' + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. -control "SV-238377" do - title "The Ubuntu operating system must have system commands owned by root or a system account. " - desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, -then those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -Ubuntu operating systems with software libraries that are accessible and configurable, as -in the case of interpreted languages. Software libraries also include privileged programs -which execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system commands contained in the following directories are owned by root, or a -required system account: - -/bin -/sbin -/usr/bin -/usr/sbin -/usr/local/bin + desc 'check', "Verify the system commands contained in the following directories are owned by root, or a +required system account: -/usr/local/sbin - -Use the following command for the check: - -$ sudo find /bin /sbin -/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\" -'{}' \\; - -If any system commands are returned and are not owned by a required system account, +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin + +/usr/local/sbin + +Use the following command for the check: + +$ sudo find /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\" +'{}' \\; + +If any system commands are returned and are not owned by a required system account, this is a finding. " - desc "fix", "Configure the system commands and their respective parent directories to be protected from -unauthorized access. Run the following command, replacing \"[FILE]\" with any system command -file not owned by \"root\" or a required system account: - + desc 'fix', "Configure the system commands and their respective parent directories to be protected from +unauthorized access. Run the following command, replacing \"[FILE]\" with any system command +file not owned by \"root\" or a required system account: + $ sudo chown root [FILE] " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238377 " - tag rid: "SV-238377r832968_rule " - tag stig_id: "UBTU-20-010457 " - tag fix_id: "F-41546r832967_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238377 ' + tag rid: 'SV-238377r832968_rule ' + tag stig_id: 'UBTU-20-010457 ' + tag fix_id: 'F-41546r832967_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - system_commands = command("find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f").stdout.strip.split("\n").entries + system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -60,13 +58,13 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - its("owner") { should cmp "root" } + its('owner') { should cmp 'root' } end end else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do + describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb index 9b5e4be..53f4177 100644 --- a/controls/SV-238378.rb +++ b/controls/SV-238378.rb @@ -1,53 +1,51 @@ -# encoding: UTF-8 - -control "SV-238378" do - title "The Ubuntu operating system must have system commands group-owned by root or a system +control 'SV-238378' do + title "The Ubuntu operating system must have system commands group-owned by root or a system account. " - desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, -then those changes might be implemented without undergoing the appropriate testing and -approvals that are part of a robust change management process. - -This requirement applies to -Ubuntu operating systems with software libraries that are accessible and configurable, as -in the case of interpreted languages. Software libraries also include privileged programs -which execute with escalated privileges. Only qualified and authorized individuals must be -allowed to obtain access to information system components for purposes of initiating + desc "If the Ubuntu operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing and +approvals that are part of a robust change management process. + +This requirement applies to +Ubuntu operating systems with software libraries that are accessible and configurable, as +in the case of interpreted languages. Software libraries also include privileged programs +which execute with escalated privileges. Only qualified and authorized individuals must be +allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. " - desc "check", "Verify the system commands contained in the following directories are group-owned by root or -a required system account: - -/bin -/sbin -/usr/bin -/usr/sbin -/usr/local/bin + desc 'check', "Verify the system commands contained in the following directories are group-owned by root or +a required system account: + +/bin +/sbin +/usr/bin +/usr/sbin +/usr/local/bin + +/usr/local/sbin -/usr/local/sbin - -Run the check with the following command: - -$ sudo find -L /bin /sbin -/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec -stat -c \"%n %G\" '{}' \\; - -If any system commands are returned that are not Set Group ID upon +Run the check with the following command: + +$ sudo find -L /bin /sbin +/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec +stat -c \"%n %G\" '{}' \\; + +If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding. " - desc "fix", "Configure the system commands to be protected from unauthorized access. Run the following -command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a -required system account: - + desc 'fix', "Configure the system commands to be protected from unauthorized access. Run the following +command, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a +required system account: + $ sudo chgrp root [FILE] " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000259-GPOS-00100 " - tag gid: "V-238378 " - tag rid: "SV-238378r832971_rule " - tag stig_id: "UBTU-20-010458 " - tag fix_id: "F-41547r832970_fix " - tag cci: ["CCI-001499"] - tag nist: ["CM-5 (6)"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000259-GPOS-00100 ' + tag gid: 'V-238378 ' + tag rid: 'SV-238378r832971_rule ' + tag stig_id: 'UBTU-20-010458 ' + tag fix_id: 'F-41547r832970_fix ' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] - system_commands = command("find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f").stdout.strip.split("\n").entries + system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] if system_commands.count > 0 @@ -61,13 +59,13 @@ if valid_system_commands.count > 0 valid_system_commands.each do |val_sys_cmd| describe file(val_sys_cmd) do - it { should_not be_more_permissive_than("0755") } + it { should_not be_more_permissive_than('0755') } end end else - describe "Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account" do + describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do subject { valid_system_commands } - its("count") { should eq 0 } + its('count') { should eq 0 } end end -end \ No newline at end of file +end diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index 6619294..c0c31f3 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -1,50 +1,48 @@ -# encoding: UTF-8 - -control "SV-238379" do - title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical +control 'SV-238379' do + title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. " - desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the -system. If accidentally pressed, as could happen in the case of a mixed OS environment, this -can create the risk of short-term loss of availability of systems due to unintentional -reboot. In the graphical environment, risk of unintentional reboot from the -Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is + desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional +reboot. In the graphical environment, risk of unintentional reboot from the +Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. " - desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when + desc 'check', "Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface. -Check that the \"logout\" +Check that the \"logout\" target is not bound to an action with the following command: -# grep logout +# grep logout /etc/dconf/db/local.d/* logout='' -If the \"logout\" key is bound to an action, is +If the \"logout\" key is bound to an action, is commented out, or is missing, this is a finding. " - desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user + desc 'fix', "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. -Add -the setting to disable the Ctrl-Alt-Delete sequence for the graphical user +Add +the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: [org/gnome/settings-daemon/plugins/media-keys] logout='' -Update the +Update the dconf settings: # dconf update " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-238379 " - tag rid: "SV-238379r654312_rule " - tag stig_id: "UBTU-20-010459 " - tag fix_id: "F-41548r654311_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-238379 ' + tag rid: 'SV-238379r654312_rule ' + tag stig_id: 'UBTU-20-010459 ' + tag fix_id: 'F-41548r654311_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] xorg_status = command('which Xorg').exit_status if xorg_status == 0 @@ -56,4 +54,4 @@ skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) end end -end \ No newline at end of file +end diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb index 7bc6b5b..3770b91 100644 --- a/controls/SV-238380.rb +++ b/controls/SV-238380.rb @@ -1,50 +1,48 @@ -# encoding: UTF-8 - -control "SV-238380" do - title "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. " - desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the -system. If accidentally pressed, as could happen in the case of a mixed OS environment, this -can create the risk of short-term loss of availability of systems due to unintentional +control 'SV-238380' do + title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ' + desc "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the +system. If accidentally pressed, as could happen in the case of a mixed OS environment, this +can create the risk of short-term loss of availability of systems due to unintentional reboot. " - desc "check", "Verify the Ubuntu operating system is not configured to reboot the system when + desc 'check', "Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. -Check that the \"ctrl-alt-del.target\" (otherwise also known +Check that the \"ctrl-alt-del.target\" (otherwise also known as reboot.target) is not active with the following command: -$ sudo systemctl status +$ sudo systemctl status ctrl-alt-del.target ctrl-alt-del.target -Loaded: masked (Reason: Unit +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) -If the \"ctrl-alt-del.target\" +If the \"ctrl-alt-del.target\" is not masked, this is a finding. " - desc "fix", "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the + desc 'fix', "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: $ sudo systemctl disable ctrl-alt-del.target -$ sudo systemctl +$ sudo systemctl mask ctrl-alt-del.target -Reload the daemon to take effect: +Reload the daemon to take effect: -$ sudo systemctl +$ sudo systemctl daemon-reload " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-238380 " - tag rid: "SV-238380r832974_rule " - tag stig_id: "UBTU-20-010460 " - tag fix_id: "F-41549r832973_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-238380 ' + tag rid: 'SV-238380r832974_rule ' + tag stig_id: 'UBTU-20-010460 ' + tag fix_id: 'F-41549r832973_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe service('ctrl-alt-del.target') do it { should_not be_running } it { should_not be_enabled } end -end \ No newline at end of file +end diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb index 94761c0..565c101 100644 --- a/controls/SV-251503.rb +++ b/controls/SV-251503.rb @@ -1,35 +1,33 @@ -# encoding: UTF-8 - -control "SV-251503" do - title "The Ubuntu operating system must not have accounts configured with blank or null passwords. " - desc "If an account has an empty password, anyone could log on and run commands with the privileges of -that account. Accounts with empty passwords should never be used in operational +control 'SV-251503' do + title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. ' + desc "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational environments. " - desc "check", "Check the \"/etc/shadow\" file for blank passwords with the following command: + desc 'check', "Check the \"/etc/shadow\" file for blank passwords with the following command: -$ sudo awk -F: +$ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding. " - desc "fix", "Configure all accounts on the system to have a password or lock the account with the following + desc 'fix', "Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: -$ sudo +$ sudo passwd -l [username] " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-251503 " - tag rid: "SV-251503r808506_rule " - tag stig_id: "UBTU-20-010462 " - tag fix_id: "F-54892r808505_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-251503 ' + tag rid: 'SV-251503r808506_rule ' + tag stig_id: 'UBTU-20-010462 ' + tag fix_id: 'F-54892r808505_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] describe command("sudo awk -F: '!$2 {print $1}' /etc/shadow") do its('stdout') { should be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index a4ae9a9..eb7e5d9 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -1,36 +1,34 @@ -# encoding: UTF-8 - -control "SV-251504" do - title "The Ubuntu operating system must not allow accounts configured with blank or null passwords. " - desc "If an account has an empty password, anyone could log on and run commands with the privileges of -that account. Accounts with empty passwords should never be used in operational +control 'SV-251504' do + title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. ' + desc "If an account has an empty password, anyone could log on and run commands with the privileges of +that account. Accounts with empty passwords should never be used in operational environments. " - desc "check", "To verify that null passwords cannot be used, run the following command: + desc 'check', "To verify that null passwords cannot be used, run the following command: -$ grep nullok +$ grep nullok /etc/pam.d/common-password -If this produces any output, it may be possible to log on with +If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding. " - desc "fix", "If an account is configured for password authentication but does not have an assigned + desc 'fix', "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. -Remove any -instances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with +Remove any +instances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with empty passwords. " impact 0.7 - tag severity: "high " - tag gtitle: "SRG-OS-000480-GPOS-00227 " - tag gid: "V-251504 " - tag rid: "SV-251504r832977_rule " - tag stig_id: "UBTU-20-010463 " - tag fix_id: "F-54893r832976_fix " - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + tag severity: 'high ' + tag gtitle: 'SRG-OS-000480-GPOS-00227 ' + tag gid: 'V-251504 ' + tag rid: 'SV-251504r832977_rule ' + tag stig_id: 'UBTU-20-010463 ' + tag fix_id: 'F-54893r832976_fix ' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] - describe command("grep nullok /etc/pam.d/common-password") do + describe command('grep nullok /etc/pam.d/common-password') do its('stdout') { should be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index 6da7473..a6f24f0 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -1,56 +1,54 @@ -# encoding: UTF-8 - -control "SV-251505" do - title "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) +control 'SV-251505' do + title "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver. " - desc "Without authenticating devices, unidentified or unknown devices may be introduced, + desc "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. -Peripherals include, but are not limited to, +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. " - desc "check", "Verify that Ubuntu operating system disables ability to load the USB storage kernel + desc 'check', "Verify that Ubuntu operating system disables ability to load the USB storage kernel module. -# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\" +# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\" -install usb-storage +install usb-storage /bin/true -If the command does not return any output, or the line is commented out, this is a +If the command does not return any output, or the line is commented out, this is a finding. -Verify the operating system disables the ability to use USB mass storage +Verify the operating system disables the ability to use USB mass storage device. # grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\" -blacklist +blacklist usb-storage -If the command does not return any output, or the line is commented out, this is a +If the command does not return any output, or the line is commented out, this is a finding. " - desc "fix", "Configure the Ubuntu operating system to disable using the USB storage kernel module. + desc 'fix', "Configure the Ubuntu operating system to disable using the USB storage kernel module. Create a file under \"/etc/modprobe.d\" to contain the following: -# sudo su -c \"echo +# sudo su -c \"echo install usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\" -Configure the +Configure the operating system to disable the ability to use USB mass storage devices. -# sudo su -c \"echo +# sudo su -c \"echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\" " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000378-GPOS-00163 " - tag gid: "V-251505 " - tag rid: "SV-251505r853450_rule " - tag stig_id: "UBTU-20-010461 " - tag fix_id: "F-54894r808511_fix " - tag cci: ["CCI-001958"] - tag nist: ["IA-3"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000378-GPOS-00163 ' + tag gid: 'V-251505 ' + tag rid: 'SV-251505r853450_rule ' + tag stig_id: 'UBTU-20-010461 ' + tag fix_id: 'F-54894r808511_fix ' + tag cci: ['CCI-001958'] + tag nist: ['IA-3'] describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do its('stdout') { should_not be_empty } @@ -59,4 +57,4 @@ describe command('grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"') do its('stdout') { should_not be_empty } end -end \ No newline at end of file +end diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 735164b..79d7e36 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -1,81 +1,79 @@ -# encoding: UTF-8 - -control "SV-252704" do - title "The Ubuntu operating system must disable all wireless network adapters. " - desc "Without protection of communications with wireless peripherals, confidentiality and -integrity may be compromised because unprotected communications can be intercepted and -either read, altered, or used to compromise the operating system. - -This requirement -applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, -etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR -Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique -challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet -DoD requirements for wireless data transmission and be approved for use by the AO. Even though -some wireless peripherals, such as mice and pointing devices, do not ordinarily carry -information that need to be protected, modification of communications with these wireless -peripherals may be used to compromise the operating system. Communication paths outside the -physical protection of a controlled boundary are exposed to the possibility of interception -and modification. - -Protecting the confidentiality and integrity of communications with -wireless peripherals can be accomplished by physical means (e.g., employing physical -barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic -techniques). If physical means of protection are employed, then logical means -(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only +control 'SV-252704' do + title 'The Ubuntu operating system must disable all wireless network adapters. ' + desc "Without protection of communications with wireless peripherals, confidentiality and +integrity may be compromised because unprotected communications can be intercepted and +either read, altered, or used to compromise the operating system. + +This requirement +applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, +etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR +Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique +challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet +DoD requirements for wireless data transmission and be approved for use by the AO. Even though +some wireless peripherals, such as mice and pointing devices, do not ordinarily carry +information that need to be protected, modification of communications with these wireless +peripherals may be used to compromise the operating system. Communication paths outside the +physical protection of a controlled boundary are exposed to the possibility of interception +and modification. + +Protecting the confidentiality and integrity of communications with +wireless peripherals can be accomplished by physical means (e.g., employing physical +barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic +techniques). If physical means of protection are employed, then logical means +(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. " - desc "check", "Note: This requirement is Not Applicable for systems that do not have physical wireless -network radios. - -Verify that there are no wireless interfaces configured on the system with -the following command: - -$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs -basename - -If a wireless interface is configured and has not been documented and approved by + desc 'check', "Note: This requirement is Not Applicable for systems that do not have physical wireless +network radios. + +Verify that there are no wireless interfaces configured on the system with +the following command: + +$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs +basename + +If a wireless interface is configured and has not been documented and approved by the ISSO, this is a finding. " - desc "fix", "List all the wireless interfaces with the following command: - -$ ls -L -d -/sys/class/net/*/wireless | xargs dirname | xargs basename - -For each interface, -configure the system to disable wireless network interfaces with the following command: - -$ -sudo ifdown <interface name> - -For each interface listed, find their respective -module with the following command: - -$ basename $(readlink -f -/sys/class/net/<interface name>/device/driver) - -where <interface name> -must be substituted by the actual interface name. - -Create a file in the \"/etc/modprobe.d\" -directory and for each module, add the following line: - -install <module name> -/bin/true - -For each module from the system, execute the following command to remove it: - -$ + desc 'fix', "List all the wireless interfaces with the following command: + +$ ls -L -d +/sys/class/net/*/wireless | xargs dirname | xargs basename + +For each interface, +configure the system to disable wireless network interfaces with the following command: + +$ +sudo ifdown <interface name> + +For each interface listed, find their respective +module with the following command: + +$ basename $(readlink -f +/sys/class/net/<interface name>/device/driver) + +where <interface name> +must be substituted by the actual interface name. + +Create a file in the \"/etc/modprobe.d\" +directory and for each module, add the following line: + +install <module name> +/bin/true + +For each module from the system, execute the following command to remove it: + +$ sudo modprobe -r <module name> " impact 0.5 - tag severity: "medium " - tag gtitle: "SRG-OS-000481-GPOS-00481 " - tag gid: "V-252704 " - tag rid: "SV-252704r854182_rule " - tag stig_id: "UBTU-20-010455 " - tag fix_id: "F-56110r819056_fix " - tag cci: ["CCI-002418"] - tag nist: ["SC-8"] + tag severity: 'medium ' + tag gtitle: 'SRG-OS-000481-GPOS-00481 ' + tag gid: 'V-252704 ' + tag rid: 'SV-252704r854182_rule ' + tag stig_id: 'UBTU-20-010455 ' + tag fix_id: 'F-56110r819056_fix ' + tag cci: ['CCI-002418'] + tag nist: ['SC-8'] describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do - its('stdout') { should be_in input('approved_wireless_interfaces')} + its('stdout') { should be_in input('approved_wireless_interfaces') } end -end \ No newline at end of file +end From 927e7c0ef6f44bd60ec7aae8df0abdf24395bded Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 11:48:54 -0500 Subject: [PATCH 015/100] added containerized logic Signed-off-by: HackerShark --- controls/SV-238201.rb | 25 +++++++++------ controls/SV-238210.rb | 19 +++++++---- controls/SV-238211.rb | 11 +++++-- controls/SV-238228.rb | 27 ++++++++++------ controls/SV-238229.rb | 23 ++++++++----- controls/SV-238230.rb | 11 +++++-- controls/SV-238232.rb | 21 ++++++++---- controls/SV-238233.rb | 31 +++++++++++------- controls/SV-238234.rb | 21 ++++++++---- controls/SV-238235.rb | 21 ++++++++---- controls/SV-238237.rb | 27 ++++++++++------ controls/SV-238238.rb | 41 +++++++++++++---------- controls/SV-238239.rb | 39 +++++++++++++--------- controls/SV-238240.rb | 39 +++++++++++++--------- controls/SV-238241.rb | 39 +++++++++++++--------- controls/SV-238242.rb | 39 +++++++++++++--------- controls/SV-238243.rb | 17 +++++++--- controls/SV-238244.rb | 13 ++++++-- controls/SV-238245.rb | 25 +++++++++------ controls/SV-238246.rb | 25 +++++++++------ controls/SV-238247.rb | 25 +++++++++------ controls/SV-238248.rb | 25 +++++++++------ controls/SV-238249.rb | 19 +++++++---- controls/SV-238250.rb | 19 +++++++---- controls/SV-238251.rb | 19 +++++++---- controls/SV-238252.rb | 43 ++++++++++++++----------- controls/SV-238253.rb | 43 ++++++++++++++----------- controls/SV-238254.rb | 43 ++++++++++++++----------- controls/SV-238255.rb | 43 ++++++++++++++----------- controls/SV-238256.rb | 43 ++++++++++++++----------- controls/SV-238257.rb | 43 ++++++++++++++----------- controls/SV-238258.rb | 19 +++++++---- controls/SV-238264.rb | 21 +++++++----- controls/SV-238268.rb | 21 +++++++----- controls/SV-238271.rb | 35 +++++++++++--------- controls/SV-238277.rb | 39 +++++++++++++--------- controls/SV-238278.rb | 39 +++++++++++++--------- controls/SV-238279.rb | 39 +++++++++++++--------- controls/SV-238280.rb | 39 +++++++++++++--------- controls/SV-238281.rb | 39 +++++++++++++--------- controls/SV-238282.rb | 39 +++++++++++++--------- controls/SV-238283.rb | 39 +++++++++++++--------- controls/SV-238284.rb | 39 +++++++++++++--------- controls/SV-238285.rb | 41 +++++++++++++---------- controls/SV-238286.rb | 41 +++++++++++++---------- controls/SV-238287.rb | 41 +++++++++++++---------- controls/SV-238288.rb | 39 +++++++++++++--------- controls/SV-238289.rb | 39 +++++++++++++--------- controls/SV-238290.rb | 39 +++++++++++++--------- controls/SV-238291.rb | 39 +++++++++++++--------- controls/SV-238292.rb | 39 +++++++++++++--------- controls/SV-238293.rb | 39 +++++++++++++--------- controls/SV-238294.rb | 39 +++++++++++++--------- controls/SV-238295.rb | 19 +++++++---- controls/SV-238297.rb | 19 +++++++---- controls/SV-238298.rb | 21 ++++++++---- controls/SV-238300.rb | 15 ++++++--- controls/SV-238301.rb | 15 ++++++--- controls/SV-238302.rb | 15 ++++++--- controls/SV-238303.rb | 75 +++++++++++++++++++++++-------------------- controls/SV-238304.rb | 19 +++++++---- controls/SV-238305.rb | 43 ++++++++++++++----------- controls/SV-238306.rb | 37 ++++++++++++--------- controls/SV-238307.rb | 55 +++++++++++++++++-------------- controls/SV-238309.rb | 41 +++++++++++++---------- controls/SV-238310.rb | 19 +++++++---- controls/SV-238315.rb | 41 +++++++++++++---------- controls/SV-238316.rb | 41 +++++++++++++---------- controls/SV-238317.rb | 41 +++++++++++++---------- controls/SV-238318.rb | 39 +++++++++++++--------- controls/SV-238319.rb | 39 +++++++++++++--------- controls/SV-238320.rb | 39 +++++++++++++--------- controls/SV-238362.rb | 25 +++++++++------ controls/SV-238373.rb | 15 ++++++--- controls/SV-251504.rb | 11 +++++-- controls/SV-251505.rb | 17 +++++++--- 76 files changed, 1455 insertions(+), 929 deletions(-) diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index cd90abd..17faae7 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -30,17 +30,24 @@ tag cci: ['CCI-000187'] tag nist: ['IA-5 (2) (a) (2)'] - config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('use_mappers') { should cmp 'pwent' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe(config_file + ' exists') do - subject { config_file_exists } - it { should be true } + config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('use_mappers') { should cmp 'pwent' } + end + else + describe(config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 9b407aa..c15df89 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -69,11 +69,18 @@ tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768) tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] - describe package('libpam-pkcs11') do - it { should be_installed } - end - - describe sshd_config do - its('PubkeyAuthentication') { should cmp 'yes' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe package('libpam-pkcs11') do + it { should be_installed } + end + + describe sshd_config do + its('PubkeyAuthentication') { should cmp 'yes' } + end end end diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 9217a80..9b541fc 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -41,7 +41,14 @@ tag cci: ['CCI-000877'] tag nist: ['MA-4 c'] - describe sshd_config do - its('UsePAM') { should cmp 'yes' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe sshd_config do + its('UsePAM') { should cmp 'yes' } + end end end diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index 39bd11c..eb5378c 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -75,15 +75,22 @@ tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] - describe package('libpam-pwquality') do - it { should be_installed } - end - - describe parse_config_file('/etc/security/pwquality.conf') do - its('enforcing') { should cmp 1 } - end - - describe file('/etc/pam.d/common-password') do - its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe package('libpam-pwquality') do + it { should be_installed } + end + + describe parse_config_file('/etc/security/pwquality.conf') do + its('enforcing') { should cmp 1 } + end + + describe file('/etc/pam.d/common-password') do + its('content') { should match '^password\s+requisite\s+pam_pwquality.so\s+retry=3\s+enforce_for_root$' } + end end end diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index 62f4eb9..2f783d2 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -65,16 +65,23 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs tag cci: ['CCI-000185'] tag nist: ['IA-5 (2) (b) (1)'] - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('use_pkcs11_module') { should_not be_nil } - its('cert_policy') { should include 'ca' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('use_pkcs11_module') { should_not be_nil } + its('cert_policy') { should include 'ca' } + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index 1c09f9d..07cc779 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -51,7 +51,14 @@ tag cci: ['CCI-001948'] tag nist: ['IA-2 (11)'] - describe package('libpam-pkcs11') do - it { should be_installed } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe package('libpam-pkcs11') do + it { should be_installed } + end end end diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index 448cc9b..c241103 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -37,15 +37,22 @@ tag cci: ['CCI-001954'] tag nist: ['IA-2 (12)'] - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'ocsp_on' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'ocsp_on' } + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 3ef0e9b..5ef61a0 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -40,20 +40,27 @@ tag cci: ['CCI-001991'] tag nist: ['IA-5 (2) (d)'] - config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? - if config_file_exists - describe.one do - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'crl_auto' } - end - describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do - its('cert_policy') { should include 'crl_offline' } - end + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do - subject { config_file_exists } - it { should be true } + config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? + if config_file_exists + describe.one do + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'crl_auto' } + end + describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do + its('cert_policy') { should include 'crl_offline' } + end + end + else + describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index db87059..667f6cc 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -37,12 +37,19 @@ tag cci: %w(CCI-000196 CCI-000200) tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)'] - describe file('/etc/pam.d/common-password') do - it { should exist } - end - - describe command("grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\([^ ]*\\).*/\\1/'") do - its('exit_status') { should eq 0 } - its('stdout.strip') { should cmp >= 5 } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe file('/etc/pam.d/common-password') do + it { should exist } + end + + describe command("grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\([^ ]*\\).*/\\1/'") do + its('exit_status') { should eq 0 } + its('stdout.strip') { should cmp >= 5 } + end end end diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index bd1c9d1..c06b39a 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -71,13 +71,20 @@ tag cci: %w(CCI-000044 CCI-002238) tag nist: ['AC-7 a', 'AC-7 b'] - describe file('/etc/pam.d/common-auth') do - it { should exist } - end + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe file('/etc/pam.d/common-auth') do + it { should exist } + end - describe command('grep pam_tally /etc/pam.d/common-auth') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } - its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } + describe command('grep pam_tally /etc/pam.d/common-auth') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } + its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } + end end end diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index 4b16231..ad5b29d 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -31,18 +31,25 @@ tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] - describe file('/etc/pam.d/common-auth') do - it { should exist } - end + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe file('/etc/pam.d/common-auth') do + it { should exist } + end - describe command('grep pam_faildelay /etc/pam.d/common-auth') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/ } - end + describe command('grep pam_faildelay /etc/pam.d/common-auth') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/ } + end - file('/etc/pam.d/common-auth').content.to_s.scan(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=(\d+).*$/).flatten.each do |entry| - describe entry do - it { should cmp >= 4_000_000 } + file('/etc/pam.d/common-auth').content.to_s.scan(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=(\d+).*$/).flatten.each do |entry| + describe entry do + it { should cmp >= 4_000_000 } + end end end end diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index 3d098d2..64818f1 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -52,27 +52,34 @@ tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] - @audit_file = '/etc/passwd' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/etc/passwd' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 7f6e1d3..a2435ff 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -52,26 +52,33 @@ tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] - @audit_file = '/etc/group' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/etc/group' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index 6d560ca..ca6a745 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -52,26 +52,33 @@ tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] - @audit_file = '/etc/shadow' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/etc/shadow' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index 07c3f71..d9f2803 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -52,26 +52,33 @@ tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AU-12 c', 'AC-2 (4)'] - @audit_file = '/etc/gshadow' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/etc/gshadow' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index ba0986f..5aaa8ea 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -52,26 +52,33 @@ tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] - @audit_file = '/etc/security/opasswd' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/etc/security/opasswd' + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index cf7f724..3744b19 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -52,11 +52,18 @@ tag cci: ['CCI-000139'] tag nist: ['AU-5 a'] - action_mail_acct = auditd_conf.action_mail_acct - security_accounts = input('action_mail_acct') + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + action_mail_acct = auditd_conf.action_mail_acct + security_accounts = input('action_mail_acct') - describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do - subject { security_accounts } - it { should cmp action_mail_acct } + describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do + subject { security_accounts } + it { should cmp action_mail_acct } + end end end diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index d8e7592..2bb0d4a 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -55,8 +55,15 @@ tag cci: ['CCI-000140'] tag nist: ['AU-5 b'] - describe auditd_conf do - its('disk_full_action') { should_not be_empty } - its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe auditd_conf do + its('disk_full_action') { should_not be_empty } + its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } + end end end diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 0955631..6e880e8 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -53,17 +53,24 @@ tag cci: %w(CCI-000162 CCI-000163) tag nist: ['AU-9 a'] - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - it { should_not be_more_permissive_than('0600') } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + it { should_not be_more_permissive_than('0600') } + end + else + describe('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 6e412c4..51e1ca5 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -52,17 +52,24 @@ tag cci: ['CCI-000162'] tag nist: ['AU-9 a'] - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - its('owner') { should cmp 'root' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + its('owner') { should cmp 'root' } + end + else + describe('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 62f5531..6771489 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -56,17 +56,24 @@ tag cci: ['CCI-000162'] tag nist: ['AU-9 a'] - log_file = auditd_conf.log_file - - log_file_exists = !log_file.nil? - if log_file_exists - describe file(log_file) do - its('group') { should cmp 'root' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit log file ' + log_file + ' exists') do - subject { log_file_exists } - it { should be true } + log_file = auditd_conf.log_file + + log_file_exists = !log_file.nil? + if log_file_exists + describe file(log_file) do + its('group') { should cmp 'root' } + end + else + describe('Audit log file ' + log_file + ' exists') do + subject { log_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 7dc6686..75d14b8 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -58,17 +58,24 @@ tag cci: ['CCI-000164'] tag nist: ['AU-9 a'] - log_file = auditd_conf.log_file - - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - if log_dir_exists - describe directory(File.dirname(log_file)) do - it { should_not be_more_permissive_than('0750') } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } + log_file = auditd_conf.log_file + + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + if log_dir_exists + describe directory(File.dirname(log_file)) do + it { should_not be_more_permissive_than('0750') } + end + else + describe('Audit directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end end end end diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index 5f8e7d2..fec86f7 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -52,14 +52,21 @@ tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - audit_conf_files = files1 + files2 + audit_conf_files = files1 + files2 - audit_conf_files.each do |conf| - describe file(conf) do - it { should_not be_more_permissive_than('0640') } + audit_conf_files.each do |conf| + describe file(conf) do + it { should_not be_more_permissive_than('0640') } + end end end end diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index 2487a1d..acba538 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -62,14 +62,21 @@ tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - audit_conf_files = files1 + files2 + audit_conf_files = files1 + files2 - audit_conf_files.each do |conf| - describe file(conf) do - its('owner') { should cmp 'root' } + audit_conf_files.each do |conf| + describe file(conf) do + its('owner') { should cmp 'root' } + end end end end diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 65e83e5..1d8f284 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -52,14 +52,21 @@ tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] - files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries - files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries + files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split("\n").entries - audit_conf_files = files1 + files2 + audit_conf_files = files1 + files2 - audit_conf_files.each do |conf| - describe file(conf) do - its('group') { should cmp 'root' } + audit_conf_files.each do |conf| + describe file(conf) do + its('group') { should cmp 'root' } + end end end end diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index c34cfd9..da8f462 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -48,28 +48,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/bin/su' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/bin/su' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 4fc545f..560de86 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -48,28 +48,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/chfn' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/chfn' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 24c3b72..6784e07 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -48,28 +48,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/mount' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/mount' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index 179a55c..3223301 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -48,28 +48,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/umount' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/umount' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 0571b41..60b62f4 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -48,28 +48,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/ssh-agent' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/ssh-agent' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 6c78192..57eacdb 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -49,28 +49,35 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/lib/openssh/ssh-keysign' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/lib/openssh/ssh-keysign' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index c851a12..5941011 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -84,14 +84,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - if os.arch == 'x86_64' - describe auditd.syscall('setxattr').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('setxattr').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('setxattr').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('setxattr').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index 737f005..1279a6b 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -69,16 +69,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - # FIX - - if os.arch == 'x86_64' - describe auditd.syscall('chown').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('chown').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('chown').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('chown').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 151198e..f81177f 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -68,16 +68,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - # FIX - - if os.arch == 'x86_64' - describe auditd.syscall('chmod').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('chmod').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('chmod').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('chmod').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index b7bd30f..9307789 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -85,28 +85,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - # FIX - - if os.arch == 'x86_64' - describe auditd.syscall('open').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('open').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EPERM' } + end + describe auditd.syscall('open').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + its('exit.uniq') { should include '-EACCES' } + end + end + describe auditd.syscall('open').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } its('exit.uniq') { should include '-EPERM' } end - describe auditd.syscall('open').where { arch == 'b64' } do + describe auditd.syscall('open').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } its('exit.uniq') { should include '-EACCES' } end end - describe auditd.syscall('open').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EPERM' } - end - describe auditd.syscall('open').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - its('exit.uniq') { should include '-EACCES' } - end end diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index dc8e9d3..1adc42f 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -47,26 +47,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/sudo' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/sudo' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 7127de7..417f5d5 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -48,27 +48,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/sudoedit' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/sudoedit' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } + end end end end diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index 2267b90..0136958 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/chsh' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/chsh' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index 9c63fce..aa8600a 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/newgrp' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/newgrp' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index acdfc9f..2294afb 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/chcon' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/chcon' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 6fcb11e..173fba3 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/sbin/apparmor_parser' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/sbin/apparmor_parser' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index abdfb08..debe151 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/setfacl' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/setfacl' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 70e3edd..68e7291 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/chacl' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/chacl' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index d721e70..155fa64 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -49,27 +49,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/log/tallylog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/tallylog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 81c511a..9d21206 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -49,27 +49,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/log/faillog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/faillog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index f959caf..aa85aa2 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -49,27 +49,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/log/lastlog' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/lastlog' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 6f8fddd..82b30ab 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -48,27 +48,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/passwd' + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + @audit_file = '/usr/bin/passwd' - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index ffd8905..c22c8ed 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/sbin/unix_update' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/sbin/unix_update' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index f9fdf7c..fb385af 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/gpasswd' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/gpasswd' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 8803ac1..7db18bb 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/chage' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/chage' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index 017922a..70ddc7e 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/sbin/usermod' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/sbin/usermod' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index d94acdc..84c8860 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -48,26 +48,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/bin/crontab' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/bin/crontab' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 53116a8..24fada9 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -50,26 +50,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/usr/sbin/pam_timestamp_check' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/usr/sbin/pam_timestamp_check' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index 657cf1f..42ca8b3 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -69,14 +69,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - if os.arch == 'x86_64' - describe auditd.syscall('init_module').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('init_module').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('init_module').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('init_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 53a6e24..891d079 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -61,14 +61,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - if os.arch == 'x86_64' - describe auditd.syscall('delete_module').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('delete_module').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('delete_module').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('delete_module').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 209b159..54ac7f2 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -83,12 +83,19 @@ tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914) tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)'] - describe package('auditd') do - it { should be_installed } - end - describe service('auditd') do - it { should be_installed } - it { should be_enabled } - it { should be_running } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe package('auditd') do + it { should be_installed } + end + describe service('auditd') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end end end diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index 8920fe2..c73601e 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -53,11 +53,18 @@ tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] - audit_tools = input('audit_tools') + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + audit_tools = input('audit_tools') - audit_tools.each do |tool| - describe file(tool) do - it { should_not be_more_permissive_than('0755') } + audit_tools.each do |tool| + describe file(tool) do + it { should_not be_more_permissive_than('0755') } + end end end end diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index a7ea0dd..28877d6 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -53,11 +53,18 @@ tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] - audit_tools = input('audit_tools') + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + audit_tools = input('audit_tools') - audit_tools.each do |tool| - describe file(tool) do - its('owner') { should cmp 'root' } + audit_tools.each do |tool| + describe file(tool) do + its('owner') { should cmp 'root' } + end end end end diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index ece1177..b2bc16e 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -54,11 +54,18 @@ tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] - audit_tools = input('audit_tools') + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + audit_tools = input('audit_tools') - audit_tools.each do |tool| - describe file(tool) do - its('group') { should cmp 'root' } + audit_tools.each do |tool| + describe file(tool) do + its('group') { should cmp 'root' } + end end end end diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index 309e0e2..7dd085b 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -69,42 +69,49 @@ tag cci: ['CCI-001496'] tag nist: ['AU-9 (3)'] - aide_conf = aide_conf input('aide_conf_path') - - aide_conf_exists = aide_conf.exist? - - if aide_conf_exists - describe aide_conf.where { selection_line == '/sbin/auditctl' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/auditd' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/ausearch' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/aureport' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/autrace' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/audispd' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } - end - - describe aide_conf.where { selection_line == '/sbin/augenrules' } do - its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe 'aide.conf file exists' do - subject { aide_conf_exists } - it { should be true } + aide_conf = aide_conf input('aide_conf_path') + + aide_conf_exists = aide_conf.exist? + + if aide_conf_exists + describe aide_conf.where { selection_line == '/sbin/auditctl' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/auditd' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/ausearch' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/aureport' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/autrace' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/audispd' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + + describe aide_conf.where { selection_line == '/sbin/augenrules' } do + its('rules') { should include %w(p i n u g s b acl xattrs sha512) } + end + else + describe 'aide.conf file exists' do + subject { aide_conf_exists } + it { should be true } + end end end end diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 15173b7..0e263ed 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -70,14 +70,21 @@ tag cci: %w(CCI-002233 CCI-002234) tag nist: ['AC-6 (8)', 'AC-6 (9)'] - if os.arch == 'x86_64' - describe auditd.syscall('execve').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('execve').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('execve').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('execve').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index 5e35e49..f4f826b 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -72,26 +72,33 @@ tag cci: ['CCI-001849'] tag nist: ['AU-4'] - log_file = auditd_conf.log_file - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - - if log_dir_exists - log_file_dir = File.dirname(log_file) - available_storage = filesystem(log_file_dir).free_kb - log_file_size = file(log_file).size - standard_audit_log_size = input('standard_audit_log_size') - describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do - subject { log_file_size.to_i } - it { should be <= standard_audit_log_size } - end - describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do - subject { available_storage.to_i } - it { should be > standard_audit_log_size } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit file/directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } + log_file = auditd_conf.log_file + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + + if log_dir_exists + log_file_dir = File.dirname(log_file) + available_storage = filesystem(log_file_dir).free_kb + log_file_size = file(log_file).size + standard_audit_log_size = input('standard_audit_log_size') + describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do + subject { log_file_size.to_i } + it { should be <= standard_audit_log_size } + end + describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do + subject { available_storage.to_i } + it { should be > standard_audit_log_size } + end + else + describe('Audit file/directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end end end end diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 9d8c697..4265848 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -79,23 +79,30 @@ tag cci: ['CCI-001851'] tag nist: ['AU-4 (1)'] - config_file = input('audispremote_config_file') - config_file_exists = file(config_file).exist? - audit_sp_remote_server = input('audit_sp_remote_server') - - describe package('audispd-plugins') do - it { should be_installed } - end - - if config_file_exists - describe parse_config_file(config_file) do - its('active') { should cmp 'yes' } - its('remote_server') { should cmp audit_sp_remote_server } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe(config_file + ' exists') do - subject { config_file_exists } - it { should be true } + config_file = input('audispremote_config_file') + config_file_exists = file(config_file).exist? + audit_sp_remote_server = input('audit_sp_remote_server') + + describe package('audispd-plugins') do + it { should be_installed } + end + + if config_file_exists + describe parse_config_file(config_file) do + its('active') { should cmp 'yes' } + its('remote_server') { should cmp audit_sp_remote_server } + end + else + describe(config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 2c4fd1d..2ad8b1b 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -70,32 +70,39 @@ tag cci: ['CCI-001855'] tag nist: ['AU-5 (1)'] - log_file = auditd_conf.log_file - log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? - - if log_dir_exists - email_to_notify = input('action_mail_acct') - - partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i - system_alert_configuration_mb = auditd_conf.space_left.to_i - - describe 'The space_left configuration' do - subject { system_alert_configuration_mb } - it { should >= partition_threshold_mb } - end - describe 'The space_left_action configuration' do - subject { auditd_conf.space_left_action } - it { should eq 'email' } - end - - describe 'The action_mail_acct configuration' do - subject { auditd_conf.action_mail_acct } - it { should eq email_to_notify } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe('Audit file/directory for file ' + log_file + ' exists') do - subject { log_dir_exists } - it { should be true } + log_file = auditd_conf.log_file + log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil? + + if log_dir_exists + email_to_notify = input('action_mail_acct') + + partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i + system_alert_configuration_mb = auditd_conf.space_left.to_i + + describe 'The space_left configuration' do + subject { system_alert_configuration_mb } + it { should >= partition_threshold_mb } + end + describe 'The space_left_action configuration' do + subject { auditd_conf.space_left_action } + it { should eq 'email' } + end + + describe 'The action_mail_acct configuration' do + subject { auditd_conf.action_mail_acct } + it { should eq email_to_notify } + end + else + describe('Audit file/directory for file ' + log_file + ' exists') do + subject { log_dir_exists } + it { should be true } + end end end end diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index d99bd4b..3e14fd9 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -62,27 +62,34 @@ tag cci: %w(CCI-000172 CCI-002884) tag nist: ['AU-12 c', 'MA-4 (1) (a)'] - @audit_file = '/var/log/sudo.log' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/sudo.log' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 6683605..30595f5 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -67,14 +67,21 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - if os.arch == 'x86_64' - describe auditd.syscall('unlink').where { arch == 'b64' } do + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + if os.arch == 'x86_64' + describe auditd.syscall('unlink').where { arch == 'b64' } do + its('action.uniq') { should eq ['always'] } + its('list.uniq') { should eq ['exit'] } + end + end + describe auditd.syscall('unlink').where { arch == 'b32' } do its('action.uniq') { should eq ['always'] } its('list.uniq') { should eq ['exit'] } end end - describe auditd.syscall('unlink').where { arch == 'b32' } do - its('action.uniq') { should eq ['always'] } - its('list.uniq') { should eq ['exit'] } - end end diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index 4a74fe5..87ae2d3 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -45,27 +45,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/log/wtmp' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/wtmp' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index 943789b..20fbe0a 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -45,27 +45,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/run/wtmp' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/run/wtmp' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index eb070f0..544325c 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -45,27 +45,34 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/var/log/btmp' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/var/log/btmp' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } + @perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index d328537..11f2b41 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -43,26 +43,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/sbin/modprobe' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/sbin/modprobe' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index 316e760..f27dd6a 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -46,26 +46,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/bin/kmod' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/bin/kmod' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index ff54ef6..e9fde79 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -46,26 +46,33 @@ tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] - @audit_file = '/sbin/fdisk' - - audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? - if audit_lines_exist - describe auditd.file(@audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end + else + @audit_file = '/sbin/fdisk' + + audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? + if audit_lines_exist + describe auditd.file(@audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end - @perms = auditd.file(@audit_file).permissions + @perms = auditd.file(@audit_file).permissions - @perms.each do |perm| - describe perm do - it { should include 'x' } + @perms.each do |perm| + describe perm do + it { should include 'x' } + end + end + else + describe('Audit line(s) for ' + @audit_file + ' exist') do + subject { audit_lines_exist } + it { should be true } end - end - else - describe('Audit line(s) for ' + @audit_file + ' exist') do - subject { audit_lines_exist } - it { should be true } end end end diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 7e44d9b..2627e52 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -36,17 +36,24 @@ tag cci: ['CCI-002007'] tag nist: ['IA-5 (13)'] - config_file = input('sssd_conf_path') - config_file_exists = file(config_file).exist? - - if config_file_exists - describe parse_config_file(config_file) do - its('offline_credentials_expiration') { should cmp '1' } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" end else - describe(config_file + ' exists') do - subject { config_file_exists } - it { should be true } + config_file = input('sssd_conf_path') + config_file_exists = file(config_file).exist? + + if config_file_exists + describe parse_config_file(config_file) do + its('offline_credentials_expiration') { should cmp '1' } + end + else + describe(config_file + ' exists') do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index fc0e79a..1830579 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -39,9 +39,16 @@ tag cci: ['CCI-000052'] tag nist: ['AC-9'] - describe command('grep pam_lastlog /etc/pam.d/login') do - its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } - its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe command('grep pam_lastlog /etc/pam.d/login') do + its('exit_status') { should eq 0 } + its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } + its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } + end end end diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index eb7e5d9..dea7a80 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -28,7 +28,14 @@ tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] - describe command('grep nullok /etc/pam.d/common-password') do - its('stdout') { should be_empty } + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe command('grep nullok /etc/pam.d/common-password') do + its('stdout') { should be_empty } + end end end diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index a6f24f0..b1f671f 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -50,11 +50,18 @@ tag cci: ['CCI-001958'] tag nist: ['IA-3'] - describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do - its('stdout') { should_not be_empty } - end + if virtualization.system.eql?('docker') + impact 0.0 + describe "Control not applicable to a container" do + skip "Control not applicable to a container" + end + else + describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do + its('stdout') { should_not be_empty } + end - describe command('grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"') do - its('stdout') { should_not be_empty } + describe command('grep usb-storage /etc/modprobe.d/* | grep -i "blacklist"') do + its('stdout') { should_not be_empty } + end end end From cac07d44f74e926a789a76adffcc4d214d47abee Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 11:56:49 -0500 Subject: [PATCH 016/100] added fips logic and containerized logic, also updated inspec.yml and added an inputs.yml file Signed-off-by: HackerShark --- controls/SV-238216.rb | 19 +++++++++++++---- controls/SV-238217.rb | 23 +++++++++++++++------ controls/SV-238325.rb | 15 ++++++++++++-- controls/SV-238363.rb | 29 ++++++++++++++++++-------- inputs.yml | 48 +++++++++++++++++++++++++++++++++++++++++++ inspec.yml | 7 ++++++- 6 files changed, 119 insertions(+), 22 deletions(-) create mode 100644 inputs.yml diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 3490a72..f0a54f2 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -62,11 +62,22 @@ tag cci: %w(CCI-001453 CCI-002421 CCI-002890) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - @macs_array = inspec.sshd_config.params['macs'] + if input('disable_fips')? + impact 0.0 + describe "Control not applicable" do + skip "Control not applicable" + end + elsif virtualization.system.eql?('docker') + describe "Manual test" do + skip "This control must be reviewed manually" + end + else + @macs_array = inspec.sshd_config.params['macs'] - @macs_array = @macs_array.first.split(',') unless @macs_array.nil? + @macs_array = @macs_array.first.split(',') unless @macs_array.nil? - describe @macs_array do - it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } + describe @macs_array do + it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } + end end end diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index d135ffc..e709266 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -68,11 +68,22 @@ tag cci: %w(CCI-000068 CCI-002421 CCI-003123) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - @ciphers_array = inspec.sshd_config.params['ciphers'] - - @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? - - describe @ciphers_array do - it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) } + if input('disable_fips')? + impact 0.0 + describe "Control not applicable" do + skip "Control not applicable" + end + elsif virtualization.system.eql?('docker') + describe "Manual test" do + skip "This control must be reviewed manually" + end + else + @ciphers_array = inspec.sshd_config.params['ciphers'] + + @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? + + describe @ciphers_array do + it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) } + end end end diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 7b83fd1..ca9ada7 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -34,7 +34,18 @@ tag cci: ['CCI-000803'] tag nist: ['IA-7'] - describe login_defs do - its('ENCRYPT_METHOD') { should eq 'SHA512' } + if input('disable_fips')? + impact 0.0 + describe "Control not applicable" do + skip "Control not applicable" + end + elsif virtualization.system.eql?('docker') + describe "Manual test" do + skip "This control must be reviewed manually" + end + else + describe login_defs do + its('ENCRYPT_METHOD') { should eq 'SHA512' } + end end end diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 44d2cbf..ac2e860 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -38,17 +38,28 @@ tag cci: ['CCI-002450'] tag nist: ['SC-13 b'] - config_file = input('fips_config_file') - config_file_exists = file(config_file).exist? - - if config_file_exists - describe file(config_file) do - its('content') { should match /\A1\Z/ } + if input('disable_fips')? + impact 0.0 + describe "Control not applicable" do + skip "Control not applicable" + end + elsif virtualization.system.eql?('docker') + describe "Manual test" do + skip "This control must be reviewed manually" end else - describe('FIPS is enabled') do - subject { config_file_exists } - it { should be true } + config_file = input('fips_config_file') + config_file_exists = file(config_file).exist? + + if config_file_exists + describe file(config_file) do + its('content') { should match /\A1\Z/ } + end + else + describe('FIPS is enabled') do + subject { config_file_exists } + it { should be true } + end end end end diff --git a/inputs.yml b/inputs.yml new file mode 100644 index 0000000..2d2576e --- /dev/null +++ b/inputs.yml @@ -0,0 +1,48 @@ +temporary_accounts: [] +banner_text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + sudo_accounts: [ "ubuntu" ] + tmout: 600 + action_mail_acct: root + audit_tools: [ + '/sbin/auditctl', + '/sbin/aureport', + '/sbin/ausearch', + '/sbin/autrace', + '/sbin/auditd', + '/sbin/audispd', + '/sbin/augenrules' + ] + standard_audit_log_size: 8894028 + aide_conf_path: '/etc/aide/aide.conf' + action_mail_acct: root + maxlogins: 10 + is_kdump_required: false + is_system_networked: true + sssd_conf_path: '/etc/sssd/sssd.conf' + allowed_ca_fingerprints_regex: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9) + allowed_network_interfaces: [ + 'lo', + 'eth0' + ] + audit_sp_remote_server: '192.0.0.1' + approved_wireless_interfaces: [] + fips_config_file: '/proc/sys/crypto/fips_enabled' + chrony_config_file: '/etc/chrony/chrony.conf' + useradd_config_file: '/etc/default/useradd' + rsyslog_config_file: '/etc/rsyslog.d/50-default.conf' + auditoffload_config_file: '/etc/cron.weekly/audit-offload' + audispremote_config_file: '/etc/audisp/plugins.d/au-remote.conf' + gdm3_config_file: '/etc/gdm3/greeter.dconf-defaults' + disable_fips: false \ No newline at end of file diff --git a/inspec.yml b/inspec.yml index 2cc0b4b..35c71b3 100644 --- a/inspec.yml +++ b/inspec.yml @@ -153,4 +153,9 @@ inputs: - name: gdm3_config_file description: Location of gdm3 config file type: String - value: '/etc/gdm3/greeter.dconf-defaults' \ No newline at end of file + value: '/etc/gdm3/greeter.dconf-defaults' + + - name: disable_fips + description: Is fips disabled or enabled due to FIPS 140 image + type: boolean + value: false \ No newline at end of file From af2fe01481de084c7598e4939d532e0a45fcdd44 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Sat, 3 Dec 2022 17:15:17 +0000 Subject: [PATCH 017/100] Started adding test-kitchen testing Signed-off-by: GitHub --- container.threshold.yml | 0 ec2.inputs.yml | 0 hardened.threshold.yml | 3 +++ kitchen.container.yml | 6 +++++ kitchen.ec2.yml | 30 +++++++++++++++++++++++ kitchen.vagrant.yml | 17 +++++++++++++ kitchen.yml | 54 +++++++++++++++-------------------------- vagrant.inputs.yaml | 0 vanilla.threshold.yml | 3 +++ 9 files changed, 78 insertions(+), 35 deletions(-) create mode 100644 container.threshold.yml create mode 100644 ec2.inputs.yml create mode 100644 hardened.threshold.yml create mode 100644 kitchen.container.yml create mode 100644 kitchen.ec2.yml create mode 100644 kitchen.vagrant.yml create mode 100644 vagrant.inputs.yaml create mode 100644 vanilla.threshold.yml diff --git a/container.threshold.yml b/container.threshold.yml new file mode 100644 index 0000000..e69de29 diff --git a/ec2.inputs.yml b/ec2.inputs.yml new file mode 100644 index 0000000..e69de29 diff --git a/hardened.threshold.yml b/hardened.threshold.yml new file mode 100644 index 0000000..043ddab --- /dev/null +++ b/hardened.threshold.yml @@ -0,0 +1,3 @@ +--- +compliance.min: 75 +error.total.max: 0 diff --git a/kitchen.container.yml b/kitchen.container.yml new file mode 100644 index 0000000..3e7bb30 --- /dev/null +++ b/kitchen.container.yml @@ -0,0 +1,6 @@ +driver: + name: dummy + +verifier: + input_files: + - container.inputs.yml diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml new file mode 100644 index 0000000..ec27032 --- /dev/null +++ b/kitchen.ec2.yml @@ -0,0 +1,30 @@ +--- +driver: + name: ec2 + aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %> + user_data: ./user_data.sh + tags: + POC: <%= ENV['POC_TAG'] %> + security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %> + region: <%= ENV['AWS_REGION'] %> + subnet_id: <%= ENV['SUBNET_ID'] %> + instance_type: t2.large + associate_public_ip: true + +verifier: + input_files: + - ec2.inputs.yml + +pre_converge: + - remote: | + echo "NOTICE - Updating the ec2-user to keep sudo working" + sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user + echo "NOTICE - updating ec2-user sudo config" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + +transport: + name: ssh + username: <%= ENV['AWS_EC2_USER'] %> + ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %> + connection_timeout: 10 + connection_retries: 5 diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml new file mode 100644 index 0000000..49a8e94 --- /dev/null +++ b/kitchen.vagrant.yml @@ -0,0 +1,17 @@ +--- +driver: + name: vagrant + +verifier: + input_files: + - vagrant.inputs.yml + +lifecycle: + pre_converge: + - remote: | + echo "NOTICE - Updating the vagrant user to keep sudo working" + sudo chage -d $(( $( date +%s ) / 86400 )) vagrant + echo "NOTICE - Updating root passwd" + echo 'password' | sudo passwd --stdin root + echo "NOTICE - updating vagrant sudo config" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers diff --git a/kitchen.yml b/kitchen.yml index b7f9362..e8e8e6d 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -1,19 +1,21 @@ --- -driver: - name: vagrant - # driver_config: - # ssl_verify_mode: ":verify_none" - # customize: - # cpus: 4 - # memory: 8192 - # accelerate3d: "off" - # accelerate2dvideo: "off" - # audio: "none" - # usbcardreader: "off" - # vrde: "off" - # usb: "off" - # nictype1: "82540EM" - # clipboard: "disabled" +provisioner: + name: ansible_playbook + hosts: all + require_chef_for_busser: false + require_ruby_for_busser: false + require_pip3: true + ansible_binary_path: /usr/local/bin + ansible_verbose: true + roles_path: spec/ansible/roles/ + galaxy_ignore_certs: true + env_vars: + - ANSIBLE_LOCAL_TEMP=$HOME/.ansible/tmp + - ANSIBLE_REMOTE_TEMP=$HOME/.ansible/tmp + +transport: + name: ssh + max_ssh_sessions: 2 lifecycle: pre_converge: @@ -25,10 +27,6 @@ lifecycle: echo "NOTICE - updating vagrant sudo config" sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers -transport: - name: ssh - max_ssh_sessions: 2 - verifier: name: inspec sudo: true @@ -40,24 +38,10 @@ verifier: path: . load_plugins: true -provisioner: - name: ansible_playbook - hosts: all - require_chef_for_busser: false - require_ruby_for_busser: false - require_pip3: true - ansible_binary_path: /usr/local/bin - ansible_verbose: true - roles_path: spec/ansible/roles/ - galaxy_ignore_certs: true - env_vars: - - ANSIBLE_LOCAL_TEMP=$HOME/.ansible/tmp - - ANSIBLE_REMOTE_TEMP=$HOME/.ansible/tmp - platforms: - name: ubuntu-20.04 -suites: +suites: - name: hardened provisioner: - playbook: spec/ansible/roles/hardening.yml \ No newline at end of file + playbook: spec/ansible/roles/hardening.yml diff --git a/vagrant.inputs.yaml b/vagrant.inputs.yaml new file mode 100644 index 0000000..e69de29 diff --git a/vanilla.threshold.yml b/vanilla.threshold.yml new file mode 100644 index 0000000..5996b0e --- /dev/null +++ b/vanilla.threshold.yml @@ -0,0 +1,3 @@ +--- +compliance.min: 5 +error.total.max: 0 From 8519a92839fbc7d41289d20102fb14b2bc5656c5 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 14:12:05 -0500 Subject: [PATCH 018/100] updating gitignore to not upload pem files. Created github workflow files Signed-off-by: HackerShark --- .github/workflows/verify-vagrant.yml | 53 ++++++++++++++++++++++++++++ .gitignore | 3 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/verify-vagrant.yml diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml new file mode 100644 index 0000000..66a5d30 --- /dev/null +++ b/.github/workflows/verify-vagrant.yml @@ -0,0 +1,53 @@ +name: Vagrant Testing Matrix + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + my-job: + name: Validate my profile + # macos-latest no longer has Vagrant. Must use the specified version per documentation. + runs-on: macos-12 + env: + CHEF_LICENSE: accept-silent + KITCHEN_LOCAL_YAML: kitchen.vagrant.yml + strategy: + matrix: + suite: ['vanilla', 'hardened'] + fail-fast: false + steps: + - name: Add jq for output formatting + run: brew install jq + - name: Check out repository + uses: actions/checkout@v2 + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + - name: Disable ri and rdoc + run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' + - name: ensure bundler up-to-date + run: gem install bundler + - run: bundle install + - name: Regenerate current `profile.json` + run: | + bundle exec inspec json . | jq . > profile.json + - name: Lint the Inspec profile + run: bundle exec inspec check . + - name: Run kitchen test + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + - name: Display our ${{ matrix.suite }} results summary + uses: mitre/saf_action@v1 + with: + command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' + - name: Ensure the scan meets our ${{ matrix.suite }} results threshold + uses: mitre/saf_action@v1 + with: + command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + - name: Save Test Result JSON + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file diff --git a/.gitignore b/.gitignore index 38a7e7b..c3fb9c5 100644 --- a/.gitignore +++ b/.gitignore @@ -28,4 +28,5 @@ Puppet* *.csv _config* inputs.nolong* -profile.json \ No newline at end of file +profile.json +*.pem \ No newline at end of file From 3944bb11c7ea3b6b575045309e46980790a93c27 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 14:28:31 -0500 Subject: [PATCH 019/100] commenting out vanilla logic until vanilla playbook is created Signed-off-by: HackerShark --- .github/workflows/verify-vagrant.yml | 2 +- kitchen.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 66a5d30..2627a82 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -16,7 +16,7 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.vagrant.yml strategy: matrix: - suite: ['vanilla', 'hardened'] + suite: ['hardened'] fail-fast: false steps: - name: Add jq for output formatting diff --git a/kitchen.yml b/kitchen.yml index e8e8e6d..609dce4 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -45,3 +45,6 @@ suites: - name: hardened provisioner: playbook: spec/ansible/roles/hardening.yml + # - name: vanilla + # provisioner: + # playbook: spec/ansible/roles/vanilla.yml From c03c60095d91fec074c72015c8d575a9db7257fd Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 14:40:30 -0500 Subject: [PATCH 020/100] adding ec2 workflow Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 62 ++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/verify-ec2.yml diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml new file mode 100644 index 0000000..c2cbf74 --- /dev/null +++ b/.github/workflows/verify-ec2.yml @@ -0,0 +1,62 @@ +name: EC2 Testing Matrix + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + my-job: + name: Validate my profile + runs-on: ubuntu-latest + env: + CHEF_LICENSE: accept-silent + KITCHEN_LOCAL_YAML: kitchen.ec2.yml + LC_ALL: "en_US.UTF-8" + strategy: + matrix: + suite: ['vanilla', 'hardened'] + fail-fast: false + steps: + - name: add needed packages + run: sudo apt-get install -y jq + - name: Configure AWS credentials + env: + AWS_SG_ID: ${{ secrets.AWS_SG_ID }} + AWS_SUBNET_ID: ${{ secrets.AWS_SUBNET_ID }} + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + - name: Check out repository + uses: actions/checkout@v2 + - name: Clone full repository so we can push + run: git fetch --prune --unshallow + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + - name: Disable ri and rdoc + run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' + - run: bundle install + - name: Regenerate current `profile.json` + run: | + bundle exec inspec json . | jq . > profile.json + - name: Lint the Inspec profile + run: bundle exec inspec check . + - name: Run kitchen test + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + - name: Display our ${{ matrix.suite }} results summary + uses: mitre/saf_action@v1 + with: + command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' + - name: Ensure the scan meets our ${{ matrix.suite }} results threshold + uses: mitre/saf_action@v1 + with: + command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + - name: Save Test Result JSON + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file From 901ad8f0ce67a476c0aa8eded4221859fec7ebc3 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 14:43:45 -0500 Subject: [PATCH 021/100] updating yaml file extension to yml Signed-off-by: HackerShark --- vagrant.inputs.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 vagrant.inputs.yml diff --git a/vagrant.inputs.yml b/vagrant.inputs.yml new file mode 100644 index 0000000..e69de29 From dee8f30d50d2208e6e9d11445204901cd053fe0b Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 14:47:13 -0500 Subject: [PATCH 022/100] deleting old yaml file Signed-off-by: HackerShark --- vagrant.inputs.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 vagrant.inputs.yaml diff --git a/vagrant.inputs.yaml b/vagrant.inputs.yaml deleted file mode 100644 index e69de29..0000000 From ef6a6b10df59f3f815a35fcbdbf1b80bcfda7bff Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 15:00:10 -0500 Subject: [PATCH 023/100] removing vanilla until vanilla playbook is created Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index c2cbf74..6525866 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -16,7 +16,7 @@ jobs: LC_ALL: "en_US.UTF-8" strategy: matrix: - suite: ['vanilla', 'hardened'] + suite: ['hardened'] fail-fast: false steps: - name: add needed packages From 11051a934a6de9d61e798cf36d4aa9f1da28fa88 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 15:07:08 -0500 Subject: [PATCH 024/100] fixing naming of json file Signed-off-by: HackerShark --- .github/workflows/update-profile-json.yml | 34 +++++++++++++++++++++++ .github/workflows/verify-ec2.yml | 6 ++-- .github/workflows/verify-vagrant.yml | 6 ++-- 3 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/update-profile-json.yml diff --git a/.github/workflows/update-profile-json.yml b/.github/workflows/update-profile-json.yml new file mode 100644 index 0000000..84efa82 --- /dev/null +++ b/.github/workflows/update-profile-json.yml @@ -0,0 +1,34 @@ +name: Update the Profile JSON + +on: + pull_request: + branches: [ main ] + +jobs: + my-job: + name: Update profile.json in the repository + runs-on: ubuntu-latest + env: + CHEF_LICENSE: accept-silent + steps: + - name: add needed packages + run: sudo apt-get install -y jq + - name: Check out repository + uses: actions/checkout@v2 + with: + fetch-depth: 0 + ref: ${{ github.head_ref }} + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + - run: bundle install + - name: Regenerate current `profile.json` + run: | + bundle exec inspec json . | jq . > profile.json + - name: Update profile.json in the repository + uses: stefanzweifel/git-auto-commit-action@v4 + with: + commit_user_name: GitHub Actions + commit_user_email: my-github-actions-bot@example.org + commit_message: 'Updating profile.json in the repository' \ No newline at end of file diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 6525866..f9c531f 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -47,15 +47,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 2627a82..aa490a3 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -38,15 +38,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: From 1df7a74d7330607d515af7d04261868cdc67d77a Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 15:24:26 -0500 Subject: [PATCH 025/100] fixing naming convention across the profile Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 6 +++--- .github/workflows/verify-vagrant.yml | 6 +++--- kitchen.yml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index f9c531f..6525866 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -47,15 +47,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index aa490a3..2627a82 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -38,15 +38,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/kitchen.yml b/kitchen.yml index 609dce4..1b703e8 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -39,7 +39,7 @@ verifier: load_plugins: true platforms: - - name: ubuntu-20.04 + - name: ubuntu-2004 suites: - name: hardened From 758fc8068ef54595ca52b641f0eb0c5dc3235b5b Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 15:31:59 -0500 Subject: [PATCH 026/100] fixing naming of json file Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 6 +++--- .github/workflows/verify-vagrant.yml | 6 +++--- kitchen.yml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 6525866..f9c531f 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -47,15 +47,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 2627a82..aa490a3 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -38,15 +38,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/kitchen.yml b/kitchen.yml index 1b703e8..609dce4 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -39,7 +39,7 @@ verifier: load_plugins: true platforms: - - name: ubuntu-2004 + - name: ubuntu-20.04 suites: - name: hardened From 420153739607a56393c25361dd5cc31a6ac9f3b3 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 15:45:30 -0500 Subject: [PATCH 027/100] fixing keys in ec2 Signed-off-by: HackerShark --- kitchen.ec2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index ec27032..ff301a8 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -1,13 +1,13 @@ --- driver: name: ec2 - aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %> + aws_ssh_key_id: <%= ENV['SAF_AWS_SSH_KEY_ID'] %> user_data: ./user_data.sh tags: POC: <%= ENV['POC_TAG'] %> - security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %> - region: <%= ENV['AWS_REGION'] %> - subnet_id: <%= ENV['SUBNET_ID'] %> + security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> + region: <%= ENV['SAF_AWS_REGION'] %> + subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> instance_type: t2.large associate_public_ip: true From 9bded4ddf0ae5d9278368431f173c03550c9b387 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 16:05:19 -0500 Subject: [PATCH 028/100] fixing ec2 connection issues Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 8 ++++---- kitchen.ec2.yml | 8 ++++---- kitchen.yml | 10 ---------- 3 files changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index f9c531f..5bb3a50 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -23,12 +23,12 @@ jobs: run: sudo apt-get install -y jq - name: Configure AWS credentials env: - AWS_SG_ID: ${{ secrets.AWS_SG_ID }} - AWS_SUBNET_ID: ${{ secrets.AWS_SUBNET_ID }} + AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} + AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} uses: aws-actions/configure-aws-credentials@v1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: Check out repository uses: actions/checkout@v2 diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index ff301a8..610eded 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -2,9 +2,9 @@ driver: name: ec2 aws_ssh_key_id: <%= ENV['SAF_AWS_SSH_KEY_ID'] %> - user_data: ./user_data.sh + # user_data: ./user_data.sh tags: - POC: <%= ENV['POC_TAG'] %> + POC: 'SAF Github Actions' security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> region: <%= ENV['SAF_AWS_REGION'] %> subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> @@ -24,7 +24,7 @@ pre_converge: transport: name: ssh - username: <%= ENV['AWS_EC2_USER'] %> - ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %> + username: <%= ENV['SAF_AWS_EC2_USER'] %> + ssh_key: <%= ENV['SAF_AWS_EC2_SSH_KEY'] %> connection_timeout: 10 connection_retries: 5 diff --git a/kitchen.yml b/kitchen.yml index 609dce4..b01ee60 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -17,16 +17,6 @@ transport: name: ssh max_ssh_sessions: 2 -lifecycle: - pre_converge: - - remote: | - echo "NOTICE - Updating the vagrant user to keep sudo working" - sudo chage -d $(( $( date +%s ) / 86400 )) vagrant - echo "NOTICE - Updating root passwd" - echo 'password' | sudo passwd --stdin root - echo "NOTICE - updating vagrant sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers - verifier: name: inspec sudo: true From 2263dac5b152f98fe296f76b9111a4d8ff4b1c76 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 16:12:40 -0500 Subject: [PATCH 029/100] fixing kitchen issues Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 6 +++--- .github/workflows/verify-vagrant.yml | 6 +++--- kitchen.yml | 3 ++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 5bb3a50..5f3c7ca 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -47,15 +47,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ec2_ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index aa490a3..2627a82 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -38,15 +38,15 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-20.04 || true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json' + command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ubuntu-20.04_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: diff --git a/kitchen.yml b/kitchen.yml index b01ee60..ba6f4d3 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -29,7 +29,8 @@ verifier: load_plugins: true platforms: - - name: ubuntu-20.04 + - name: ubuntu-2004 + platform: ubuntu-20.04 suites: - name: hardened From b20c5c0850fcc2887ceb05fe84810cb131296d8b Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 16:19:09 -0500 Subject: [PATCH 030/100] updating region to the secret Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 5f3c7ca..5bf072e 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -29,7 +29,7 @@ jobs: with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository uses: actions/checkout@v2 - name: Clone full repository so we can push From 0b40918f5ff225cf7787dd3cf7a50546423bfac3 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 16:28:32 -0500 Subject: [PATCH 031/100] updating reporter for ec2 Signed-off-by: HackerShark --- kitchen.ec2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 610eded..3099d77 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -14,6 +14,8 @@ driver: verifier: input_files: - ec2.inputs.yml + reporter: + - json:spec/results/ec2_%{platform}_%{suite}.json pre_converge: - remote: | From e321f5528437091de5f75cc3716cc37ded8b1f80 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Mon, 5 Dec 2022 16:30:17 -0500 Subject: [PATCH 032/100] adding environment variable for region Signed-off-by: HackerShark --- .github/workflows/verify-ec2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 5bf072e..28cadbc 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -14,6 +14,7 @@ jobs: CHEF_LICENSE: accept-silent KITCHEN_LOCAL_YAML: kitchen.ec2.yml LC_ALL: "en_US.UTF-8" + AWS_REGION: 'us-east-1' strategy: matrix: suite: ['hardened'] From 9105ff9314cfef36a8440ccc83a3eae146d5ab6a Mon Sep 17 00:00:00 2001 From: Will Dower Date: Mon, 5 Dec 2022 17:30:16 -0500 Subject: [PATCH 033/100] commenting out unneeded AWS vars; specifying the platform correctly Signed-off-by: Will Dower --- kitchen.ec2.yml | 10 +++++----- kitchen.yml | 3 +-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 3099d77..9cf969e 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -1,13 +1,13 @@ --- driver: name: ec2 - aws_ssh_key_id: <%= ENV['SAF_AWS_SSH_KEY_ID'] %> + # aws_ssh_key_id: <%= ENV['SAF_AWS_SSH_KEY_ID'] %> # user_data: ./user_data.sh tags: POC: 'SAF Github Actions' - security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> + # security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> region: <%= ENV['SAF_AWS_REGION'] %> - subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> + # subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> instance_type: t2.large associate_public_ip: true @@ -26,7 +26,7 @@ pre_converge: transport: name: ssh - username: <%= ENV['SAF_AWS_EC2_USER'] %> - ssh_key: <%= ENV['SAF_AWS_EC2_SSH_KEY'] %> + # username: <%= ENV['SAF_AWS_EC2_USER'] %> + # ssh_key: <%= ENV['SAF_AWS_EC2_SSH_KEY'] %> connection_timeout: 10 connection_retries: 5 diff --git a/kitchen.yml b/kitchen.yml index ba6f4d3..b01ee60 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -29,8 +29,7 @@ verifier: load_plugins: true platforms: - - name: ubuntu-2004 - platform: ubuntu-20.04 + - name: ubuntu-20.04 suites: - name: hardened From 7716645982279da8d1c7834f14977199331f1987 Mon Sep 17 00:00:00 2001 From: wdower <57142072+wdower@users.noreply.github.com> Date: Mon, 5 Dec 2022 17:48:53 -0500 Subject: [PATCH 034/100] Update verify-ec2.yml adding AWS_REGION var --- .github/workflows/verify-ec2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 28cadbc..adc3dd5 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -26,6 +26,7 @@ jobs: env: AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} + AWS_REGION: ${{ secrets.SAF_AWS_REGION }} uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} @@ -60,4 +61,4 @@ jobs: - name: Save Test Result JSON uses: actions/upload-artifact@v2 with: - path: spec/results/ \ No newline at end of file + path: spec/results/ From ab3a706f5a6ba70e596053d2c81986d4b7344a95 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Mon, 5 Dec 2022 17:55:24 -0500 Subject: [PATCH 035/100] removed all reference to AWS_REGION to try and force kitchen to use the default Signed-off-by: Will Dower --- .github/workflows/verify-ec2.yml | 6 +++--- kitchen.ec2.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index adc3dd5..e54996c 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -14,7 +14,7 @@ jobs: CHEF_LICENSE: accept-silent KITCHEN_LOCAL_YAML: kitchen.ec2.yml LC_ALL: "en_US.UTF-8" - AWS_REGION: 'us-east-1' + #AWS_REGION: 'us-east-1' strategy: matrix: suite: ['hardened'] @@ -26,12 +26,12 @@ jobs: env: AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }} - AWS_REGION: ${{ secrets.SAF_AWS_REGION }} + #AWS_REGION: ${{ secrets.SAF_AWS_REGION }} uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.SAF_AWS_REGION }} + #aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository uses: actions/checkout@v2 - name: Clone full repository so we can push diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 9cf969e..5437fec 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,7 +6,7 @@ driver: tags: POC: 'SAF Github Actions' # security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> - region: <%= ENV['SAF_AWS_REGION'] %> + #region: <%= ENV['SAF_AWS_REGION'] %> # subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> instance_type: t2.large associate_public_ip: true From 919807a2707ff628be36d6c01db72a81c5436314 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Mon, 5 Dec 2022 17:56:56 -0500 Subject: [PATCH 036/100] adding in a reference to aws-region for the action to work Signed-off-by: Will Dower --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index e54996c..79d2c3f 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -31,7 +31,7 @@ jobs: with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - #aws-region: ${{ secrets.SAF_AWS_REGION }} + aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository uses: actions/checkout@v2 - name: Clone full repository so we can push From d53cc57016c4a86a573abd3665e40d4b19ee109f Mon Sep 17 00:00:00 2001 From: HackerShark Date: Tue, 6 Dec 2022 10:47:23 -0500 Subject: [PATCH 037/100] testing vagrant image fix Signed-off-by: HackerShark --- kitchen.vagrant.yml | 3 +++ kitchen.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml index 49a8e94..3764efb 100644 --- a/kitchen.vagrant.yml +++ b/kitchen.vagrant.yml @@ -6,6 +6,9 @@ verifier: input_files: - vagrant.inputs.yml +platforms: + image: bento/ubuntu-20.04 + lifecycle: pre_converge: - remote: | diff --git a/kitchen.yml b/kitchen.yml index b01ee60..412c06e 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -29,7 +29,7 @@ verifier: load_plugins: true platforms: - - name: ubuntu-20.04 + - name: ubuntu-2004 suites: - name: hardened From 1963511fc3051db5cc3522fed9df4c56d7b58510 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Tue, 6 Dec 2022 10:54:44 -0500 Subject: [PATCH 038/100] fixing kitchen files Signed-off-by: HackerShark --- ec2.inputs.yml | 1 + kitchen.ec2.yml | 2 +- kitchen.vagrant.yml | 3 --- kitchen.yml | 4 ++-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ec2.inputs.yml b/ec2.inputs.yml index e69de29..bc7a16b 100644 --- a/ec2.inputs.yml +++ b/ec2.inputs.yml @@ -0,0 +1 @@ +is_system_networked: true \ No newline at end of file diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 5437fec..f3455a0 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -15,7 +15,7 @@ verifier: input_files: - ec2.inputs.yml reporter: - - json:spec/results/ec2_%{platform}_%{suite}.json + - json:spec/results/ec2_ubuntu-2004_%{suite}.json pre_converge: - remote: | diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml index 3764efb..49a8e94 100644 --- a/kitchen.vagrant.yml +++ b/kitchen.vagrant.yml @@ -6,9 +6,6 @@ verifier: input_files: - vagrant.inputs.yml -platforms: - image: bento/ubuntu-20.04 - lifecycle: pre_converge: - remote: | diff --git a/kitchen.yml b/kitchen.yml index 412c06e..b3e35a1 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -22,14 +22,14 @@ verifier: sudo: true reporter: - cli - - json:spec/results/%{platform}_%{suite}.json + - json:spec/results/ubuntu-2004_%{suite}.json inspec_tests: - name: Ubuntu 20.04 LTS STIG V1R5 path: . load_plugins: true platforms: - - name: ubuntu-2004 + - name: ubuntu-20.04 suites: - name: hardened From 0c62662c7d1e99eb209bbfbb1a14ab88aedb86df Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 11:31:26 -0500 Subject: [PATCH 039/100] updated preconverge in kitchen.ec2.yaml to install pip3 Signed-off-by: Will Dower --- kitchen.ec2.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index f3455a0..a2bc8a1 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -17,13 +17,14 @@ verifier: reporter: - json:spec/results/ec2_ubuntu-2004_%{suite}.json -pre_converge: - - remote: | - echo "NOTICE - Updating the ec2-user to keep sudo working" - sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user - echo "NOTICE - updating ec2-user sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers - +lifecycle: + pre_converge: + - remote: | + whoami + echo "running apt update" + sudo apt update + echo "installing pip3" + sudo apt install python3-pip -y transport: name: ssh # username: <%= ENV['SAF_AWS_EC2_USER'] %> From 6340d55751e2bab0f4053bc7650a5587e80c630a Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 11:37:23 -0500 Subject: [PATCH 040/100] stripping whoami and adding more apt prep commands Signed-off-by: Will Dower --- kitchen.ec2.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index a2bc8a1..5fa408c 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -20,9 +20,10 @@ verifier: lifecycle: pre_converge: - remote: | - whoami - echo "running apt update" + echo "prepping apt" + sudo apt -f install sudo apt update + sudo apt dist-upgrade echo "installing pip3" sudo apt install python3-pip -y transport: From d03fc19b9df58edfd127868acd77ccffb945c10c Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 11:49:24 -0500 Subject: [PATCH 041/100] adding flags to apt prep commands so they won't hang in the pipeline waiting for user input Signed-off-by: Will Dower --- kitchen.ec2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 5fa408c..79e1646 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -22,8 +22,8 @@ lifecycle: - remote: | echo "prepping apt" sudo apt -f install - sudo apt update - sudo apt dist-upgrade + sudo apt update -y + sudo apt dist-upgrade -y echo "installing pip3" sudo apt install python3-pip -y transport: From 9fb116ce0fbb5b84dc23a22d22461858557bcb21 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 12:52:30 -0500 Subject: [PATCH 042/100] adding in skeleton for dokken testing Signed-off-by: Will Dower --- container.inputs.yml | 1 + kitchen.container.yml | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 container.inputs.yml diff --git a/container.inputs.yml b/container.inputs.yml new file mode 100644 index 0000000..bc7a16b --- /dev/null +++ b/container.inputs.yml @@ -0,0 +1 @@ +is_system_networked: true \ No newline at end of file diff --git a/kitchen.container.yml b/kitchen.container.yml index 3e7bb30..7d90aad 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -1,5 +1,18 @@ driver: - name: dummy + name: dokken + +provisioner: + name: dokken + +transport: + name: dokken + +platforms: +- name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + intermediate_instructions: + - RUN /usr/bin/apt-get update verifier: input_files: From f13710240459044ae1b3940cf97b47467468da29 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 12:53:58 -0500 Subject: [PATCH 043/100] fixing typo -- adding a file extension to the .github workflow file for dokken Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/verify-container.yml diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml new file mode 100644 index 0000000..d2ba2d9 --- /dev/null +++ b/.github/workflows/verify-container.yml @@ -0,0 +1,53 @@ +name: Container Testing Matrix + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + validate: + name: Validate my profile + runs-on: ubuntu-latest + env: + CHEF_LICENSE: accept-silent + KITCHEN_LOCAL_YAML: kitchen.container.yml + LC_ALL: "en_US.UTF-8" + strategy: + matrix: + suite: ['hardened'] + fail-fast: false + steps: + - name: add needed packages + run: sudo apt-get install -y jq + - name: Check out repository + uses: actions/checkout@v2 + - name: Clone full repository so we can push + run: git fetch --prune --unshallow + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + - name: Disable ri and rdoc + run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' + - run: bundle install + - name: Regenerate current `profile.json` + run: | + bundle exec inspec json . | jq . > profile.json + - name: Lint the Inspec profile + run: bundle exec inspec check . + - name: Run kitchen test + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + - name: Display our ${{ matrix.suite }} results summary + uses: mitre/saf_action@v1 + with: + command_string: 'view summary -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json' + - name: Ensure the scan meets our ${{ matrix.suite }} results threshold + uses: mitre/saf_action@v1 + with: + command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + - name: Save Test Result JSON + uses: actions/upload-artifact@v2 + with: + path: spec/results/ From c9142b162bc5133f3e96c291f3c30f0cbe19a384 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 12:56:29 -0500 Subject: [PATCH 044/100] kitchen-docker ==> kitchen-dokken in Gemfile Signed-off-by: Will Dower --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index ced8889..2bc752c 100644 --- a/Gemfile +++ b/Gemfile @@ -9,6 +9,6 @@ gem 'kitchen-inspec' gem 'kitchen-ansible' gem 'kitchen-sync' gem 'kitchen-vagrant' -gem 'kitchen-docker' +gem 'kitchen-dokken' gem 'rake' gem 'rubocop' From 236a12d6635f9dd8103785f8c4474577328c4c4d Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 13:00:26 -0500 Subject: [PATCH 045/100] adding custom reporter for the container tests Signed-off-by: Will Dower --- kitchen.container.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kitchen.container.yml b/kitchen.container.yml index 7d90aad..29bbfa1 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -17,3 +17,5 @@ platforms: verifier: input_files: - container.inputs.yml + reporter: + - json:spec/results/container_ubuntu-2004_%{suite}.json From d2aa8165a8a18ff02c30ac4c0cb4e8228c0a54fa Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:28:04 -0500 Subject: [PATCH 046/100] refactoring container test workflow to locally build the hardened image from a remote repo dockerfile (since the image itself isn't currently published anywhere), adding vanilla suite for container using the base image that the hardened version was built from Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 4 +-- Gemfile | 2 +- kitchen.container.yml | 42 ++++++++++++++++++++------ 3 files changed, 35 insertions(+), 13 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index d2ba2d9..a314344 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -16,12 +16,12 @@ jobs: LC_ALL: "en_US.UTF-8" strategy: matrix: - suite: ['hardened'] + suite: ['vanilla','hardened'] fail-fast: false steps: - name: add needed packages run: sudo apt-get install -y jq - - name: Check out repository + - name: Checkout InSpec profile repository uses: actions/checkout@v2 - name: Clone full repository so we can push run: git fetch --prune --unshallow diff --git a/Gemfile b/Gemfile index 2bc752c..ced8889 100644 --- a/Gemfile +++ b/Gemfile @@ -9,6 +9,6 @@ gem 'kitchen-inspec' gem 'kitchen-ansible' gem 'kitchen-sync' gem 'kitchen-vagrant' -gem 'kitchen-dokken' +gem 'kitchen-docker' gem 'rake' gem 'rubocop' diff --git a/kitchen.container.yml b/kitchen.container.yml index 29bbfa1..6898beb 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -1,21 +1,43 @@ driver: - name: dokken + name: docker + +transport: + name: docker provisioner: - name: dokken + name: dummy -transport: - name: dokken -platforms: -- name: ubuntu-20.04 - driver: - image: dokken/ubuntu-20.04 - intermediate_instructions: - - RUN /usr/bin/apt-get update +# platforms: +# - name: ubuntu-20.04 +# driver_config: +# image: canonical/ubuntu-pro-stig-20.04 +# platform: ubuntu +lifecycle: + pre_create: | + docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag canonical/ubuntu-pro-stig-20.04:latest + # cd ./spec + # git clone https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git ubuntu-pro-cis-stig-20.04 || true + # cd ./ubuntu-pro-cis-stig-20.04 + verifier: input_files: - container.inputs.yml reporter: - json:spec/results/container_ubuntu-2004_%{suite}.json + +suites: + - name: vanilla + platforms: + - name: ubuntu-20.04 + driver_config: + image: public.ecr.aws/lts/ubuntu:focal + platform: ubuntu + + - name: hardened + platforms: + - name: ubuntu-20.04 + driver_config: + image: canonical/ubuntu-pro-stig-20.04 + platform: ubuntu \ No newline at end of file From 898474c7f0e61fea177660366f0147ef155bb254 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:34:15 -0500 Subject: [PATCH 047/100] adding cli output for containers and ec2 inspec runs Signed-off-by: Will Dower --- kitchen.container.yml | 1 + kitchen.ec2.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/kitchen.container.yml b/kitchen.container.yml index 6898beb..11cc5c7 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -25,6 +25,7 @@ verifier: input_files: - container.inputs.yml reporter: + - cli - json:spec/results/container_ubuntu-2004_%{suite}.json suites: diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 79e1646..6c92320 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -15,6 +15,7 @@ verifier: input_files: - ec2.inputs.yml reporter: + - cli - json:spec/results/ec2_ubuntu-2004_%{suite}.json lifecycle: From 2e03ce17e6ea21bb7ffb6248cb753f997da0a86a Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:39:54 -0500 Subject: [PATCH 048/100] cleanup; moving the lifecycle step for docker build to inside the hardened suite to make sure we only bother building the container when it is actually needed Signed-off-by: Will Dower --- kitchen.container.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/kitchen.container.yml b/kitchen.container.yml index 11cc5c7..ae67e09 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -7,20 +7,6 @@ transport: provisioner: name: dummy - -# platforms: -# - name: ubuntu-20.04 -# driver_config: -# image: canonical/ubuntu-pro-stig-20.04 -# platform: ubuntu - -lifecycle: - pre_create: | - docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag canonical/ubuntu-pro-stig-20.04:latest - # cd ./spec - # git clone https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git ubuntu-pro-cis-stig-20.04 || true - # cd ./ubuntu-pro-cis-stig-20.04 - verifier: input_files: - container.inputs.yml @@ -41,4 +27,8 @@ suites: - name: ubuntu-20.04 driver_config: image: canonical/ubuntu-pro-stig-20.04 - platform: ubuntu \ No newline at end of file + platform: ubuntu + lifecycle: + pre_create: | + docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag canonical/ubuntu-pro-stig-20.04:latest + \ No newline at end of file From e585259a3486f8ff0ca04000b1789bdf25033bf6 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:51:32 -0500 Subject: [PATCH 049/100] putting the artifact upload step into its own job to ensure it runs even if the pipeline inspec test doesn't pass the threshold Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 12 ++++++++---- .github/workflows/verify-ec2.yml | 12 ++++++++---- .github/workflows/verify-vagrant.yml | 12 ++++++++---- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index a314344..9d266b1 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -47,7 +47,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - - name: Save Test Result JSON - uses: actions/upload-artifact@v2 - with: - path: spec/results/ + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 79d2c3f..d87de29 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -58,7 +58,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - - name: Save Test Result JSON - uses: actions/upload-artifact@v2 - with: - path: spec/results/ + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 2627a82..860aaf0 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -47,7 +47,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - - name: Save Test Result JSON - uses: actions/upload-artifact@v2 - with: - path: spec/results/ \ No newline at end of file + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file From 9ec783c6ad38324901ec40bc31c05cf968ea2ce1 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:56:01 -0500 Subject: [PATCH 050/100] removed unnecessary lines from .gitignore, fixed spacing mistakes in the github action workflows Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 16 +- .github/workflows/verify-ec2.yml | 18 +- .github/workflows/verify-vagrant.yml | 18 +- .gitignore | 14 +- Gemfile.lock | 683 +++++++++++++++++++++++++ 5 files changed, 710 insertions(+), 39 deletions(-) create mode 100644 Gemfile.lock diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 9d266b1..0d60373 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -47,11 +47,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - steps: - - name: Save Test Result JSONs - uses: actions/upload-artifact@v2 - with: - path: spec/results/ + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index d87de29..3775ae4 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -7,7 +7,7 @@ on: branches: [ main ] jobs: - my-job: + validate: name: Validate my profile runs-on: ubuntu-latest env: @@ -58,11 +58,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - steps: - - name: Save Test Result JSONs - uses: actions/upload-artifact@v2 - with: - path: spec/results/ \ No newline at end of file + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 860aaf0..0ab0733 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -7,7 +7,7 @@ on: branches: [ main ] jobs: - my-job: + validate: name: Validate my profile # macos-latest no longer has Vagrant. Must use the specified version per documentation. runs-on: macos-12 @@ -47,11 +47,11 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - steps: - - name: Save Test Result JSONs - uses: actions/upload-artifact@v2 - with: - path: spec/results/ \ No newline at end of file + artifact-upload: + name: Upload artifacts + runs-on: macos-12 + steps: + - name: Save Test Result JSONs + uses: actions/upload-artifact@v2 + with: + path: spec/results/ \ No newline at end of file diff --git a/.gitignore b/.gitignore index c3fb9c5..72bebea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,4 @@ -.*.sw? -**/inspec.lock -**/Puppetfile.lock .yardoc -.beaker dist/ sec_results/ pkg/ @@ -12,21 +8,13 @@ spec/rp_env/ .rspec_system/ .vagrant/ .bundle/ -Gemfile.lock vendor/ junit/ log/ doc/ .kitchen/ .tmp/ -reports/ -.github* .gemrc .rspec* -CHANGELOG -Puppet* -*.csv _config* -inputs.nolong* -profile.json -*.pem \ No newline at end of file +*.pem diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..170a0e9 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,683 @@ +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.0.4) + concurrent-ruby (~> 1.0, >= 1.0.2) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + addressable (2.8.1) + public_suffix (>= 2.0.2, < 6.0) + ast (2.4.2) + aws-eventstream (1.2.0) + aws-partitions (1.671.0) + aws-sdk-alexaforbusiness (1.57.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-amplify (1.32.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv4 (~> 1.1) + aws-sdk-apigateway (1.79.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-apigatewayv2 (1.43.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-applicationautoscaling (1.51.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-athena (1.59.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-autoscaling (1.63.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-batch (1.47.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-budgets (1.51.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudformation (1.73.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudfront (1.70.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudhsm (1.40.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudhsmv2 (1.43.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudtrail (1.54.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatch (1.69.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatchevents (1.46.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatchlogs (1.57.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-codecommit (1.52.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-codedeploy (1.51.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-codepipeline (1.54.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-cognitoidentity (1.31.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-cognitoidentityprovider (1.53.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-configservice (1.86.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-core (3.168.3) + aws-eventstream (~> 1, >= 1.0.2) + aws-partitions (~> 1, >= 1.651.0) + aws-sigv4 (~> 1.5) + jmespath (~> 1, >= 1.6.1) + aws-sdk-costandusagereportservice (1.42.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-databasemigrationservice (1.53.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-dynamodb (1.79.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-ec2 (1.354.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecr (1.57.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecrpublic (1.13.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecs (1.107.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-efs (1.56.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-eks (1.80.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticache (1.82.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticbeanstalk (1.52.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticloadbalancing (1.41.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticloadbalancingv2 (1.82.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticsearchservice (1.68.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-emr (1.53.0) + aws-sdk-core (~> 3, >= 3.121.2) + aws-sigv4 (~> 1.1) + aws-sdk-eventbridge (1.24.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-firehose (1.50.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-glue (1.88.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-guardduty (1.61.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-iam (1.73.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-kafka (1.52.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-kinesis (1.42.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-kms (1.60.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-lambda (1.88.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-mq (1.40.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv4 (~> 1.1) + aws-sdk-networkfirewall (1.20.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-networkmanager (1.26.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-organizations (1.59.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-ram (1.26.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-rds (1.162.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-redshift (1.87.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53 (1.69.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53domains (1.41.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53resolver (1.38.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.117.2) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.4) + aws-sdk-s3control (1.43.0) + aws-sdk-core (~> 3, >= 3.122.0) + aws-sigv4 (~> 1.1) + aws-sdk-secretsmanager (1.46.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-securityhub (1.73.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-servicecatalog (1.60.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-ses (1.41.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv4 (~> 1.1) + aws-sdk-shield (1.50.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-signer (1.32.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv4 (~> 1.1) + aws-sdk-simpledb (1.29.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv2 (~> 1.0) + aws-sdk-sms (1.41.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-sns (1.57.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-sqs (1.52.1) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-ssm (1.145.0) + aws-sdk-core (~> 3, >= 3.165.0) + aws-sigv4 (~> 1.1) + aws-sdk-states (1.39.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-synthetics (1.19.0) + aws-sdk-core (~> 3, >= 3.121.2) + aws-sigv4 (~> 1.1) + aws-sdk-transfer (1.34.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-waf (1.43.0) + aws-sdk-core (~> 3, >= 3.122.0) + aws-sigv4 (~> 1.1) + aws-sigv2 (1.1.0) + aws-sigv4 (1.5.2) + aws-eventstream (~> 1, >= 1.0.2) + azure_graph_rbac (0.17.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_key_vault (0.17.7) + ms_rest_azure (~> 0.12.0) + azure_mgmt_resources (0.18.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_security (0.19.0) + ms_rest_azure (~> 0.12.0) + azure_mgmt_storage (0.23.0) + ms_rest_azure (~> 0.12.0) + bcrypt_pbkdf (1.1.0) + bson (4.15.0) + builder (3.2.4) + chef-config (18.0.185) + addressable + chef-utils (= 18.0.185) + fuzzyurl + mixlib-config (>= 2.2.12, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) + tomlrb (~> 1.2) + chef-telemetry (1.1.1) + chef-config + concurrent-ruby (~> 1.0) + chef-utils (18.0.185) + concurrent-ruby + coderay (1.1.3) + concurrent-ruby (1.1.10) + cookstyle (7.32.1) + rubocop (= 1.25.1) + declarative (0.0.20) + diff-lcs (1.5.0) + docker-api (2.2.0) + excon (>= 0.47.0) + multi_json + domain_name (0.5.20190701) + unf (>= 0.0.5, < 1.0.0) + ed25519 (1.3.0) + erubi (1.11.0) + excon (0.94.0) + faraday (1.4.3) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.1) + multipart-post (>= 1.2, < 3) + ruby2_keywords (>= 0.0.4) + faraday-cookie_jar (0.0.7) + faraday (>= 0.8.0) + http-cookie (~> 1.0.0) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.0) + faraday-excon (1.1.0) + faraday-net_http (1.0.1) + faraday-net_http_persistent (1.2.0) + faraday_middleware (1.0.0) + faraday (~> 1.0) + ffi (1.15.5) + fuzzyurl (0.9.0) + google-api-client (0.52.0) + addressable (~> 2.5, >= 2.5.1) + googleauth (~> 0.9) + httpclient (>= 2.8.1, < 3.0) + mini_mime (~> 1.0) + representable (~> 3.0) + retriable (>= 2.0, < 4.0) + rexml + signet (~> 0.12) + googleauth (0.14.0) + faraday (>= 0.17.3, < 2.0) + jwt (>= 1.4, < 3.0) + memoist (~> 0.16) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (~> 0.14) + gssapi (1.3.1) + ffi (>= 1.0.1) + gyoku (1.4.0) + builder (>= 2.1.2) + rexml (~> 3.0) + hashie (4.1.0) + highline (2.0.3) + http-cookie (1.0.5) + domain_name (~> 0.5) + httpclient (2.8.3) + i18n (1.12.0) + concurrent-ruby (~> 1.0) + inifile (3.0.0) + inspec (5.18.14) + cookstyle + faraday_middleware (>= 0.12.2, < 1.1) + inspec-core (= 5.18.14) + mongo (= 2.13.2) + progress_bar (~> 1.3.3) + rake + train (~> 3.10) + train-aws (~> 0.2) + train-habitat (~> 0.1) + train-winrm (~> 0.2) + inspec-bin (5.18.14) + inspec (= 5.18.14) + inspec-core (5.18.14) + addressable (~> 2.4) + chef-telemetry (~> 1.0, >= 1.0.8) + faraday (>= 0.9.0, < 1.5) + faraday_middleware (~> 1.0) + hashie (>= 3.4, < 5.0) + license-acceptance (>= 0.2.13, < 3.0) + method_source (>= 0.8, < 2.0) + mixlib-log (~> 3.0) + multipart-post (~> 2.0) + parallel (~> 1.9) + parslet (>= 1.5, < 2.0) + pry (~> 0.13) + rspec (>= 3.9, <= 3.11) + rspec-its (~> 1.2) + rubyzip (>= 1.2.2, < 3.0) + semverse (~> 3.0) + sslshake (~> 1.2) + thor (>= 0.20, < 2.0) + tomlrb (>= 1.2, < 2.1) + train-core (~> 3.10) + tty-prompt (~> 0.17) + tty-table (~> 0.10) + jmespath (1.6.2) + json (2.6.3) + jwt (2.5.0) + kitchen-ansible (0.56.0) + net-ssh (>= 3) + test-kitchen (>= 1.4) + kitchen-docker (2.13.0) + test-kitchen (>= 1.0.0) + kitchen-ec2 (3.14.0) + aws-sdk-ec2 (~> 1.0) + retryable (>= 2.0, < 4.0) + test-kitchen (>= 1.4.1, < 4) + kitchen-inspec (2.6.1) + hashie (>= 3.4, <= 5.0) + inspec (>= 2.2.64, < 7.0) + test-kitchen (>= 2.7, < 4) + kitchen-sync (2.2.1) + net-sftp + test-kitchen (>= 1.0.0) + kitchen-vagrant (1.12.1) + test-kitchen (>= 1.4, < 4) + license-acceptance (2.1.13) + pastel (~> 0.7) + tomlrb (>= 1.2, < 3.0) + tty-box (~> 0.6) + tty-prompt (~> 0.20) + little-plugger (1.1.4) + logging (2.3.1) + little-plugger (~> 1.1) + multi_json (~> 1.14) + memoist (0.16.2) + method_source (1.0.0) + mini_mime (1.1.2) + minitest (5.16.3) + mixlib-config (3.0.27) + tomlrb + mixlib-install (3.12.24) + mixlib-shellout + mixlib-versioning + thor + mixlib-log (3.0.9) + mixlib-shellout (3.2.7) + chef-utils + mixlib-versioning (1.2.12) + mongo (2.13.2) + bson (>= 4.8.2, < 5.0.0) + ms_rest (0.7.6) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + timeliness (~> 0.3.10) + ms_rest_azure (0.12.0) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + faraday-cookie_jar (~> 0.0.6) + ms_rest (~> 0.7.6) + multi_json (1.15.0) + multipart-post (2.2.3) + net-scp (4.0.0) + net-ssh (>= 2.6.5, < 8.0.0) + net-sftp (4.0.0) + net-ssh (>= 5.0.0, < 8.0.0) + net-ssh (7.0.1) + net-ssh-gateway (2.0.0) + net-ssh (>= 4.0.0) + nori (2.6.0) + options (2.3.2) + os (1.1.4) + parallel (1.22.1) + parser (3.1.3.0) + ast (~> 2.4.1) + parslet (1.8.2) + pastel (0.8.0) + tty-color (~> 0.5) + progress_bar (1.3.3) + highline (>= 1.6, < 3) + options (~> 2.3.0) + pry (0.14.1) + coderay (~> 1.1) + method_source (~> 1.0) + public_suffix (5.0.0) + rainbow (3.1.1) + rake (13.0.6) + regexp_parser (2.6.1) + representable (3.2.0) + declarative (< 0.1.0) + trailblazer-option (>= 0.1.1, < 0.2.0) + uber (< 0.2.0) + retriable (3.1.2) + retryable (3.0.5) + rexml (3.2.5) + rspec (3.11.0) + rspec-core (~> 3.11.0) + rspec-expectations (~> 3.11.0) + rspec-mocks (~> 3.11.0) + rspec-core (3.11.0) + rspec-support (~> 3.11.0) + rspec-expectations (3.11.1) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.11.0) + rspec-its (1.3.0) + rspec-core (>= 3.0.0) + rspec-expectations (>= 3.0.0) + rspec-mocks (3.11.2) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.11.0) + rspec-support (3.11.1) + rubocop (1.25.1) + parallel (~> 1.10) + parser (>= 3.1.0.0) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml + rubocop-ast (>= 1.15.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 1.4.0, < 3.0) + rubocop-ast (1.24.0) + parser (>= 3.1.1.0) + ruby-progressbar (1.11.0) + ruby2_keywords (0.0.5) + rubyntlm (0.6.3) + rubyzip (2.3.2) + semverse (3.0.2) + signet (0.17.0) + addressable (~> 2.8) + faraday (>= 0.17.5, < 3.a) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) + sslshake (1.3.1) + strings (0.2.1) + strings-ansi (~> 0.2) + unicode-display_width (>= 1.5, < 3.0) + unicode_utils (~> 1.4) + strings-ansi (0.2.0) + test-kitchen (3.4.0) + bcrypt_pbkdf (~> 1.0) + chef-utils (>= 16.4.35) + ed25519 (~> 1.2) + license-acceptance (>= 1.0.11, < 3.0) + mixlib-install (~> 3.6) + mixlib-shellout (>= 1.2, < 4.0) + net-scp (>= 1.1, < 5.0) + net-ssh (>= 2.9, < 8.0) + net-ssh-gateway (>= 1.2, < 3.0) + thor (>= 0.19, < 2.0) + winrm (~> 2.0) + winrm-elevated (~> 1.0) + winrm-fs (~> 1.1) + thor (1.2.1) + timeliness (0.3.10) + tomlrb (1.3.0) + trailblazer-option (0.1.2) + train (3.10.7) + activesupport (>= 6.0.3.1) + azure_graph_rbac (~> 0.16) + azure_mgmt_key_vault (~> 0.17) + azure_mgmt_resources (~> 0.15) + azure_mgmt_security (~> 0.18) + azure_mgmt_storage (~> 0.18) + docker-api (>= 1.26, < 3.0) + google-api-client (>= 0.23.9, <= 0.52.0) + googleauth (>= 0.6.6, <= 0.14.0) + inifile (~> 3.0) + train-core (= 3.10.7) + train-winrm (~> 0.2) + train-aws (0.2.24) + aws-sdk-alexaforbusiness (~> 1.0) + aws-sdk-amplify (~> 1.32.0) + aws-sdk-apigateway (~> 1.0) + aws-sdk-apigatewayv2 (~> 1.0) + aws-sdk-applicationautoscaling (>= 1.46, < 1.52) + aws-sdk-athena (~> 1.0) + aws-sdk-autoscaling (>= 1.22, < 1.64) + aws-sdk-batch (>= 1.36, < 1.48) + aws-sdk-budgets (~> 1.0) + aws-sdk-cloudformation (~> 1.0) + aws-sdk-cloudfront (~> 1.0) + aws-sdk-cloudhsm (~> 1.0) + aws-sdk-cloudhsmv2 (~> 1.0) + aws-sdk-cloudtrail (~> 1.8) + aws-sdk-cloudwatch (~> 1.13) + aws-sdk-cloudwatchevents (>= 1.36, < 1.47) + aws-sdk-cloudwatchlogs (~> 1.13) + aws-sdk-codecommit (~> 1.0) + aws-sdk-codedeploy (~> 1.0) + aws-sdk-codepipeline (~> 1.0) + aws-sdk-cognitoidentity (>= 1.26, < 1.32) + aws-sdk-cognitoidentityprovider (>= 1.46, < 1.54) + aws-sdk-configservice (~> 1.21) + aws-sdk-core (~> 3.0) + aws-sdk-costandusagereportservice (~> 1.6) + aws-sdk-databasemigrationservice (>= 1.42, < 1.54) + aws-sdk-dynamodb (~> 1.31) + aws-sdk-ec2 (~> 1.70) + aws-sdk-ecr (~> 1.18) + aws-sdk-ecrpublic (~> 1.3) + aws-sdk-ecs (~> 1.30) + aws-sdk-efs (~> 1.0) + aws-sdk-eks (~> 1.9) + aws-sdk-elasticache (~> 1.0) + aws-sdk-elasticbeanstalk (~> 1.0) + aws-sdk-elasticloadbalancing (~> 1.8) + aws-sdk-elasticloadbalancingv2 (~> 1.0) + aws-sdk-elasticsearchservice (~> 1.0) + aws-sdk-emr (~> 1.53.0) + aws-sdk-eventbridge (~> 1.24.0) + aws-sdk-firehose (~> 1.0) + aws-sdk-glue (>= 1.71, < 1.89) + aws-sdk-guardduty (~> 1.31) + aws-sdk-iam (~> 1.13) + aws-sdk-kafka (~> 1.0) + aws-sdk-kinesis (~> 1.0) + aws-sdk-kms (~> 1.13) + aws-sdk-lambda (~> 1.0) + aws-sdk-mq (~> 1.40.0) + aws-sdk-networkfirewall (>= 1.6.0) + aws-sdk-networkmanager (>= 1.13.0) + aws-sdk-organizations (>= 1.17, < 1.60) + aws-sdk-ram (>= 1.21, < 1.27) + aws-sdk-rds (~> 1.43) + aws-sdk-redshift (~> 1.0) + aws-sdk-route53 (~> 1.0) + aws-sdk-route53domains (~> 1.0) + aws-sdk-route53resolver (~> 1.0) + aws-sdk-s3 (~> 1.30) + aws-sdk-s3control (~> 1.43.0) + aws-sdk-secretsmanager (>= 1.42, < 1.47) + aws-sdk-securityhub (~> 1.0) + aws-sdk-servicecatalog (>= 1.48, < 1.61) + aws-sdk-ses (~> 1.41.0) + aws-sdk-shield (~> 1.30) + aws-sdk-signer (~> 1.32.0) + aws-sdk-simpledb (~> 1.29.0) + aws-sdk-sms (~> 1.0) + aws-sdk-sns (~> 1.9) + aws-sdk-sqs (~> 1.10) + aws-sdk-ssm (~> 1.0) + aws-sdk-states (>= 1.35, < 1.40) + aws-sdk-synthetics (~> 1.19.0) + aws-sdk-transfer (>= 1.26, < 1.35) + aws-sdk-waf (~> 1.43.0) + train-core (3.10.7) + addressable (~> 2.5) + ffi (!= 1.13.0) + json (>= 1.8, < 3.0) + mixlib-shellout (>= 2.0, < 4.0) + net-scp (>= 1.2, < 5.0) + net-ssh (>= 2.9, < 8.0) + train-habitat (0.2.22) + train-winrm (0.2.13) + winrm (>= 2.3.6, < 3.0) + winrm-elevated (~> 1.2.2) + winrm-fs (~> 1.0) + tty-box (0.7.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-cursor (~> 0.7) + tty-color (0.6.0) + tty-cursor (0.7.1) + tty-prompt (0.23.1) + pastel (~> 0.8) + tty-reader (~> 0.8) + tty-reader (0.9.0) + tty-cursor (~> 0.7) + tty-screen (~> 0.8) + wisper (~> 2.0) + tty-screen (0.8.1) + tty-table (0.12.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-screen (~> 0.8) + tzinfo (2.0.5) + concurrent-ruby (~> 1.0) + uber (0.1.0) + unf (0.1.4) + unf_ext + unf_ext (0.0.8.2) + unicode-display_width (2.3.0) + unicode_utils (1.4.0) + winrm (2.3.6) + builder (>= 2.1.2) + erubi (~> 1.8) + gssapi (~> 1.2) + gyoku (~> 1.0) + httpclient (~> 2.2, >= 2.2.0.2) + logging (>= 1.6.1, < 3.0) + nori (~> 2.0) + rubyntlm (~> 0.6.0, >= 0.6.3) + winrm-elevated (1.2.3) + erubi (~> 1.8) + winrm (~> 2.0) + winrm-fs (~> 1.0) + winrm-fs (1.3.5) + erubi (~> 1.8) + logging (>= 1.6.1, < 3.0) + rubyzip (~> 2.0) + winrm (~> 2.0) + wisper (2.0.1) + +PLATFORMS + x86_64-darwin-21 + +DEPENDENCIES + inspec + inspec-bin + kitchen-ansible + kitchen-docker + kitchen-ec2 + kitchen-inspec + kitchen-sync + kitchen-vagrant + rake + rubocop + +BUNDLED WITH + 2.3.22 From 1392aad10ee76bf1dee67df3edf2e4171d7759ae Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 15:58:06 -0500 Subject: [PATCH 051/100] made the artifact upload step depend on validate Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 1 + .github/workflows/verify-ec2.yml | 1 + .github/workflows/verify-vagrant.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 0d60373..7f46e12 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -50,6 +50,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + needs: validate steps: - name: Save Test Result JSONs uses: actions/upload-artifact@v2 diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 3775ae4..c2831ac 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -61,6 +61,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + needs: validate steps: - name: Save Test Result JSONs uses: actions/upload-artifact@v2 diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 0ab0733..2e9b749 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -50,6 +50,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + needs: validate steps: - name: Save Test Result JSONs uses: actions/upload-artifact@v2 From c53175584877d7aa6afe63b7a5ca85f82538d385 Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 6 Dec 2022 21:00:06 +0000 Subject: [PATCH 052/100] Updating profile.json in the repository --- Gemfile.lock | 1 + profile.json | 6865 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 6866 insertions(+) create mode 100644 profile.json diff --git a/Gemfile.lock b/Gemfile.lock index 170a0e9..e60c341 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -666,6 +666,7 @@ GEM PLATFORMS x86_64-darwin-21 + x86_64-linux DEPENDENCIES inspec diff --git a/profile.json b/profile.json new file mode 100644 index 0000000..593e0bc --- /dev/null +++ b/profile.json @@ -0,0 +1,6865 @@ +{ + "name": "Canonical_Ubuntu_20-04_LTS_STIG", + "title": "Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide", + "maintainer": "Nitin Ravindran", + "copyright": "Nitin Ravindran", + "copyright_email": "nravindran@vmware.com", + "license": "Apache-2.0", + "summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.", + "version": "0.1.0", + "supports": [ + { + "platform-name": "ubuntu", + "release": "20.04" + } + ], + "inputs": [ + { + "name": "temporary_accounts", + "options": { + "type": "Array", + "value": [] + } + }, + { + "name": "banner_text", + "options": { + "type": "String", + "value": "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + } + }, + { + "name": "sudo_accounts", + "options": { + "type": "Array", + "value": [ + "ubuntu" + ] + } + }, + { + "name": "tmout", + "options": { + "type": "Numeric", + "value": 600 + } + }, + { + "name": "action_mail_acct", + "options": { + "type": "String", + "value": "root" + } + }, + { + "name": "audit_tools", + "options": { + "type": "Array", + "value": [ + "/sbin/auditctl", + "/sbin/aureport", + "/sbin/ausearch", + "/sbin/autrace", + "/sbin/auditd", + "/sbin/audispd", + "/sbin/augenrules" + ] + } + }, + { + "name": "standard_audit_log_size", + "options": { + "type": "Numeric", + "value": 8894028 + } + }, + { + "name": "aide_conf_path", + "options": { + "type": "String", + "value": "/etc/aide/aide.conf" + } + }, + { + "name": "maxlogins", + "options": { + "type": "Numeric", + "value": 10 + } + }, + { + "name": "is_kdump_required", + "options": { + "type": "Boolean", + "value": false + } + }, + { + "name": "is_system_networked", + "options": { + "type": "Boolean", + "value": true + } + }, + { + "name": "sssd_conf_path", + "options": { + "type": "String", + "value": "/etc/sssd/sssd.conf" + } + }, + { + "name": "allowed_ca_fingerprints_regex", + "options": { + "type": "String", + "value": "(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)" + } + }, + { + "name": "allowed_network_interfaces", + "options": { + "type": "Array", + "value": [ + "lo", + "eth0" + ] + } + }, + { + "name": "audit_sp_remote_server", + "options": { + "type": "String", + "value": "192.0.0.1" + } + }, + { + "name": "approved_wireless_interfaces", + "options": { + "type": "Array", + "value": [] + } + }, + { + "name": "fips_config_file", + "options": { + "type": "String", + "value": "/proc/sys/crypto/fips_enabled" + } + }, + { + "name": "chrony_config_file", + "options": { + "type": "String", + "value": "/etc/chrony/chrony.conf" + } + }, + { + "name": "useradd_config_file", + "options": { + "type": "String", + "value": "/etc/default/useradd" + } + }, + { + "name": "rsyslog_config_file", + "options": { + "type": "String", + "value": "/etc/rsyslog.d/50-default.conf" + } + }, + { + "name": "auditoffload_config_file", + "options": { + "type": "String", + "value": "/etc/cron.weekly/audit-offload" + } + }, + { + "name": "audispremote_config_file", + "options": { + "type": "String", + "value": "/etc/audisp/plugins.d/au-remote.conf" + } + }, + { + "name": "gdm3_config_file", + "options": { + "type": "String", + "value": "/etc/gdm3/greeter.dconf-defaults" + } + } + ], + "controls": [ + { + "title": "The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "descriptions": { + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding.", + "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000297-GPOS-00115 ", + "gid": "V-238355 ", + "rid": "SV-238355r853430_rule ", + "stig_id": "UBTU-20-010434 ", + "fix_id": "F-41524r654239_fix ", + "cci": [ + "CCI-002314" + ], + "nist": [ + "AC-17 (1)" + ] + }, + "code": "control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238355.rb", + "line": 1 + }, + "id": "SV-238355" + }, + { + "title": "The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ", + "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "descriptions": { + "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "check": "Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000376-GPOS-00161 ", + "gid": "V-238231 ", + "rid": "SV-238231r853411_rule ", + "stig_id": "UBTU-20-010064 ", + "fix_id": "F-41400r653867_fix ", + "cci": [ + "CCI-001953" + ], + "nist": [ + "IA-2 (12)" + ] + }, + "code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238231.rb", + "line": 1 + }, + "id": "SV-238231" + }, + { + "title": "The Ubuntu operating system must not have the rsh-server package installed. ", + "desc": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "descriptions": { + "default": "It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.", + "check": "Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000095-GPOS-00049 ", + "gid": "V-238327 ", + "rid": "SV-238327r654156_rule ", + "stig_id": "UBTU-20-010406 ", + "fix_id": "F-41496r654155_fix ", + "cci": [ + "CCI-000381" + ], + "nist": [ + "CM-7 a" + ] + }, + "code": "control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238327.rb", + "line": 1 + }, + "id": "SV-238327" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238281 ", + "rid": "SV-238281r654018_rule ", + "stig_id": "UBTU-20-010165 ", + "fix_id": "F-41450r654017_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238281.rb", + "line": 1 + }, + "id": "SV-238281" + }, + { + "title": "The Ubuntu operating system library files must have mode 0755 or less permissive. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", + "fix": "Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238347 ", + "rid": "SV-238347r654216_rule ", + "stig_id": "UBTU-20-010426 ", + "fix_id": "F-41516r654215_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238347.rb", + "line": 1 + }, + "id": "SV-238347" + }, + { + "title": "The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", + "descriptions": { + "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.", + "check": "Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000424-GPOS-00188 ", + "satisfies": [ + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000033-GPOS-00014", + "SRG-OS-000394-GPOS-00174" + ], + "gid": "V-238217 ", + "rid": "SV-238217r860821_rule ", + "stig_id": "UBTU-20-010044 ", + "fix_id": "F-41386r653825_fix ", + "cci": [ + "CCI-000068", + "CCI-002421", + "CCI-003123" + ], + "nist": [ + "AC-17 (2)", + "SC-8 (1)", + "MA-4 (6)" + ] + }, + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238217.rb", + "line": 1 + }, + "id": "SV-238217" + }, + { + "title": "The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ", + "desc": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", + "descriptions": { + "default": "Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.", + "check": "Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000424-GPOS-00188 ", + "satisfies": [ + "SRG-OS-000424-GPOS-00188", + "SRG-OS-000250-GPOS-00093", + "SRG-OS-000393-GPOS-00173" + ], + "gid": "V-238216 ", + "rid": "SV-238216r860820_rule ", + "stig_id": "UBTU-20-010043 ", + "fix_id": "F-41385r653822_fix ", + "cci": [ + "CCI-001453", + "CCI-002421", + "CCI-002890" + ], + "nist": [ + "AC-17 (2)", + "SC-8 (1)", + "MA-4 (6)" + ] + }, + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238216.rb", + "line": 1 + }, + "id": "SV-238216" + }, + { + "title": "The Ubuntu operating system must prevent direct login into the root account. ", + "desc": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", + "descriptions": { + "default": "To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.", + "check": "Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000109-GPOS-00056 ", + "gid": "V-238329 ", + "rid": "SV-238329r654162_rule ", + "stig_id": "UBTU-20-010408 ", + "fix_id": "F-41498r654161_fix ", + "cci": [ + "CCI-000770" + ], + "nist": [ + "IA-2 (5)" + ] + }, + "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238329.rb", + "line": 1 + }, + "id": "SV-238329" + }, + { + "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", + "descriptions": { + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.", + "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238379 ", + "rid": "SV-238379r654312_rule ", + "stig_id": "UBTU-20-010459 ", + "fix_id": "F-41548r654311_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238379.rb", + "line": 1 + }, + "id": "SV-238379" + }, + { + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000071-GPOS-00039 ", + "gid": "V-238223 ", + "rid": "SV-238223r653844_rule ", + "stig_id": "UBTU-20-010052 ", + "fix_id": "F-41392r653843_fix ", + "cci": [ + "CCI-000194" + ], + "nist": [ + "IA-5 (1) (a)" + ] + }, + "code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238223.rb", + "line": 1 + }, + "id": "SV-238223" + }, + { + "title": "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ", + "desc": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", + "descriptions": { + "default": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.", + "check": "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000077-GPOS-00045 ", + "satisfies": [ + "SRG-OS-000077-GPOS-00045", + "SRG-OS-000073-GPOS-00041" + ], + "gid": "V-238234 ", + "rid": "SV-238234r832945_rule ", + "stig_id": "UBTU-20-010070 ", + "fix_id": "F-41403r832944_fix ", + "cci": [ + "CCI-000196", + "CCI-000200" + ], + "nist": [ + "IA-5 (1) (c)", + "IA-5 (1) (e)" + ] + }, + "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238234.rb", + "line": 1 + }, + "id": "SV-238234" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238253 ", + "rid": "SV-238253r653934_rule ", + "stig_id": "UBTU-20-010137 ", + "fix_id": "F-41422r653933_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238253.rb", + "line": 1 + }, + "id": "SV-238253" + }, + { + "title": "The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ", + "desc": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", + "descriptions": { + "default": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).", + "check": "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding.", + "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000384-GPOS-00167 ", + "gid": "V-238233 ", + "rid": "SV-238233r853413_rule ", + "stig_id": "UBTU-20-010066 ", + "fix_id": "F-41402r653873_fix ", + "cci": [ + "CCI-001991" + ], + "nist": [ + "IA-5 (2) (d)" + ] + }, + "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238233.rb", + "line": 1 + }, + "id": "SV-238233" + }, + { + "title": "The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", + "descriptions": { + "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.", + "check": "Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding.", + "fix": "Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000028-GPOS-00009 ", + "satisfies": [ + "SRG-OS-000028-GPOS-00009", + "SRG-OS-000029-GPOS-00010" + ], + "gid": "V-238199 ", + "rid": "SV-238199r653772_rule ", + "stig_id": "UBTU-20-010004 ", + "fix_id": "F-41368r653771_fix ", + "cci": [ + "CCI-000056", + "CCI-000057" + ], + "nist": [ + "AC-11 b", + "AC-11 a" + ] + }, + "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238199.rb", + "line": 1 + }, + "id": "SV-238199" + }, + { + "title": "The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "descriptions": { + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding.", + "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-238247 ", + "rid": "SV-238247r832947_rule ", + "stig_id": "UBTU-20-010124 ", + "fix_id": "F-41416r832946_fix ", + "cci": [ + "CCI-000162" + ], + "nist": [ + "AU-9 a" + ] + }, + "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238247.rb", + "line": 1 + }, + "id": "SV-238247" + }, + { + "title": "The Ubuntu operating system library directories must be owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding.", + "fix": "Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238350 ", + "rid": "SV-238350r654225_rule ", + "stig_id": "UBTU-20-010429 ", + "fix_id": "F-41519r654224_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238350.rb", + "line": 1 + }, + "id": "SV-238350" + }, + { + "title": "The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ", + "desc": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", + "descriptions": { + "default": "An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.", + "check": "Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding.", + "fix": "Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000134-GPOS-00068 ", + "gid": "V-238206 ", + "rid": "SV-238206r653793_rule ", + "stig_id": "UBTU-20-010012 ", + "fix_id": "F-41375r653792_fix ", + "cci": [ + "CCI-001084" + ], + "nist": [ + "SC-3" + ] + }, + "code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238206.rb", + "line": 1 + }, + "id": "SV-238206" + }, + { + "title": "The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ", + "desc": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", + "descriptions": { + "default": "In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.", + "check": "Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding.", + "fix": "Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000341-GPOS-00132 ", + "gid": "V-238305 ", + "rid": "SV-238305r853423_rule ", + "stig_id": "UBTU-20-010215 ", + "fix_id": "F-41474r654089_fix ", + "cci": [ + "CCI-001849" + ], + "nist": [ + "AU-4" + ] + }, + "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238305.rb", + "line": 1 + }, + "id": "SV-238305" + }, + { + "title": "The Ubuntu operating system must disable all wireless network adapters. ", + "desc": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", + "descriptions": { + "default": "Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.", + "check": "Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding.", + "fix": "List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000481-GPOS-00481 ", + "gid": "V-252704 ", + "rid": "SV-252704r854182_rule ", + "stig_id": "UBTU-20-010455 ", + "fix_id": "F-56110r819056_fix ", + "cci": [ + "CCI-002418" + ], + "nist": [ + "SC-8" + ] + }, + "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-252704.rb", + "line": 1 + }, + "id": "SV-252704" + }, + { + "title": "The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ", + "desc": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", + "descriptions": { + "default": "If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.", + "check": "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding.", + "fix": "If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000002-GPOS-00002 ", + "gid": "V-238196 ", + "rid": "SV-238196r653763_rule ", + "stig_id": "UBTU-20-010000 ", + "fix_id": "F-41365r653762_fix ", + "cci": [ + "CCI-000016" + ], + "nist": [ + "AC-2 (2)" + ] + }, + "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238196.rb", + "line": 1 + }, + "id": "SV-238196" + }, + { + "title": "The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238344 ", + "rid": "SV-238344r654207_rule ", + "stig_id": "UBTU-20-010423 ", + "fix_id": "F-41513r654206_fix ", + "cci": [ + "CCI-001495" + ], + "nist": [ + "AU-9" + ] + }, + "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238344.rb", + "line": 1 + }, + "id": "SV-238344" + }, + { + "title": "The Ubuntu operating system library directories must have mode 0755 or less permissive. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding.", + "fix": "Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238348 ", + "rid": "SV-238348r654219_rule ", + "stig_id": "UBTU-20-010427 ", + "fix_id": "F-41517r654218_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238348.rb", + "line": 1 + }, + "id": "SV-238348" + }, + { + "title": "The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding.", + "fix": "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238338 ", + "rid": "SV-238338r654189_rule ", + "stig_id": "UBTU-20-010417 ", + "fix_id": "F-41507r654188_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238338.rb", + "line": 1 + }, + "id": "SV-238338" + }, + { + "title": "The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-238285 ", + "rid": "SV-238285r654030_rule ", + "stig_id": "UBTU-20-010169 ", + "fix_id": "F-41454r654029_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238285.rb", + "line": 1 + }, + "id": "SV-238285" + }, + { + "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", + "descriptions": { + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding.", + "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000447-GPOS-00201 ", + "gid": "V-238372 ", + "rid": "SV-238372r853449_rule ", + "stig_id": "UBTU-20-010451 ", + "fix_id": "F-41541r654290_fix ", + "cci": [ + "CCI-002702" + ], + "nist": [ + "SI-6 d" + ] + }, + "code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238372.rb", + "line": 1 + }, + "id": "SV-238372" + }, + { + "title": "The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ", + "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", + "descriptions": { + "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding.", + "fix": "Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000445-GPOS-00199 ", + "gid": "V-238371 ", + "rid": "SV-238371r853448_rule ", + "stig_id": "UBTU-20-010450 ", + "fix_id": "F-41540r654287_fix ", + "cci": [ + "CCI-002696" + ], + "nist": [ + "SI-6 a" + ] + }, + "code": "control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238371.rb", + "line": 1 + }, + "id": "SV-238371" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238282 ", + "rid": "SV-238282r654021_rule ", + "stig_id": "UBTU-20-010166 ", + "fix_id": "F-41451r654020_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238282.rb", + "line": 1 + }, + "id": "SV-238282" + }, + { + "title": "The Ubuntu operating system must have system commands owned by root or a system account. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding.", + "fix": "Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238377 ", + "rid": "SV-238377r832968_rule ", + "stig_id": "UBTU-20-010457 ", + "fix_id": "F-41546r832967_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238377.rb", + "line": 1 + }, + "id": "SV-238377" + }, + { + "title": "The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "descriptions": { + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding.", + "fix": "Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000297-GPOS-00115 ", + "gid": "V-238354 ", + "rid": "SV-238354r853429_rule ", + "stig_id": "UBTU-20-010433 ", + "fix_id": "F-41523r654236_fix ", + "cci": [ + "CCI-002314" + ], + "nist": [ + "AC-17 (1)" + ] + }, + "code": "control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238354.rb", + "line": 1 + }, + "id": "SV-238354" + }, + { + "title": "The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ", + "desc": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", + "descriptions": { + "default": "Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.", + "check": "Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000480-GPOS-00226 ", + "gid": "V-238237 ", + "rid": "SV-238237r653886_rule ", + "stig_id": "UBTU-20-010075 ", + "fix_id": "F-41406r653885_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238237.rb", + "line": 1 + }, + "id": "SV-238237" + }, + { + "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ", + "desc": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", + "descriptions": { + "default": "Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.", + "check": "Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000163-GPOS-00072 ", + "gid": "V-238213 ", + "rid": "SV-238213r858523_rule ", + "stig_id": "UBTU-20-010037 ", + "fix_id": "F-41382r653813_fix ", + "cci": [ + "CCI-001133" + ], + "nist": [ + "SC-10" + ] + }, + "code": "control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238213.rb", + "line": 1 + }, + "id": "SV-238213" + }, + { + "title": "The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ", + "desc": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", + "descriptions": { + "default": "Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.", + "check": "Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding.", + "fix": "Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000122-GPOS-00063 ", + "satisfies": [ + "SRG-OS-000122-GPOS-00063", + "SRG-OS-000037-GPOS-00015", + "SRG-OS-000038-GPOS-00016", + "SRG-OS-000039-GPOS-00017", + "SRG-OS-000040-GPOS-00018", + "SRG-OS-000041-GPOS-00019", + "SRG-OS-000042-GPOS-00020", + "SRG-OS-000042-GPOS-00021", + "SRG-OS-000051-GPOS-00024", + "SRG-OS-000054-GPOS-00025", + "SRG-OS-000062-GPOS-00031", + "SRG-OS-000337-GPOS-00129", + "SRG-OS-000348-GPOS-00136", + "SRG-OS-000349-GPOS-00137", + "SRG-OS-000350-GPOS-00138", + "SRG-OS-000351-GPOS-00139", + "SRG-OS-000352-GPOS-00140", + "SRG-OS-000353-GPOS-00141", + "SRG-OS-000354-GPOS-00142", + "SRG-OS-000475-GPOS-00220" + ], + "gid": "V-238298 ", + "rid": "SV-238298r853421_rule ", + "stig_id": "UBTU-20-010182 ", + "fix_id": "F-41467r654068_fix ", + "cci": [ + "CCI-000130", + "CCI-000131", + "CCI-000132", + "CCI-000133", + "CCI-000134", + "CCI-000135", + "CCI-000154", + "CCI-000158", + "CCI-000169", + "CCI-000172", + "CCI-001875", + "CCI-001876", + "CCI-001877", + "CCI-001878", + "CCI-001879", + "CCI-001880", + "CCI-001881", + "CCI-001882", + "CCI-001914" + ], + "nist": [ + "AU-3 a", + "AU-3 b", + "AU-3 c", + "AU-3 d", + "AU-3 e", + "AU-3 (1)", + "AU-6 (4)", + "AU-7 (1)", + "AU-12 a", + "AU-12 c", + "AU-7 a", + "AU-7 b", + "AU-12 (3)" + ] + }, + "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238298.rb", + "line": 1 + }, + "id": "SV-238298" + }, + { + "title": "The Ubuntu operating system must uniquely identify interactive users. ", + "desc": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", + "descriptions": { + "default": "To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.", + "check": "Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding.", + "fix": "Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000104-GPOS-00051 ", + "satisfies": [ + "SRG-OS-000104-GPOS-00051", + "SRG-OS-000121-GPOS-00062" + ], + "gid": "V-238205 ", + "rid": "SV-238205r653790_rule ", + "stig_id": "UBTU-20-010010 ", + "fix_id": "F-41374r653789_fix ", + "cci": [ + "CCI-000764", + "CCI-000804" + ], + "nist": [ + "IA-2", + "IA-8" + ] + }, + "code": "control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238205.rb", + "line": 1 + }, + "id": "SV-238205" + }, + { + "title": "The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ", + "desc": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", + "descriptions": { + "default": "Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding.", + "fix": "Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000278-GPOS-00108 ", + "gid": "V-238303 ", + "rid": "SV-238303r654084_rule ", + "stig_id": "UBTU-20-010205 ", + "fix_id": "F-41472r654083_fix ", + "cci": [ + "CCI-001496" + ], + "nist": [ + "AU-9 (3)" + ] + }, + "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238303.rb", + "line": 1 + }, + "id": "SV-238303" + }, + { + "title": "The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ", + "desc": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", + "descriptions": { + "default": "It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.", + "check": "Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding.", + "fix": "Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000047-GPOS-00023 ", + "gid": "V-238244 ", + "rid": "SV-238244r653907_rule ", + "stig_id": "UBTU-20-010118 ", + "fix_id": "F-41413r653906_fix ", + "cci": [ + "CCI-000140" + ], + "nist": [ + "AU-5 b" + ] + }, + "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238244.rb", + "line": 1 + }, + "id": "SV-238244" + }, + { + "title": "The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "descriptions": { + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238250 ", + "rid": "SV-238250r653925_rule ", + "stig_id": "UBTU-20-010134 ", + "fix_id": "F-41419r653924_fix ", + "cci": [ + "CCI-000171" + ], + "nist": [ + "AU-12 b" + ] + }, + "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238250.rb", + "line": 1 + }, + "id": "SV-238250" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238289 ", + "rid": "SV-238289r654042_rule ", + "stig_id": "UBTU-20-010173 ", + "fix_id": "F-41458r654041_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238289.rb", + "line": 1 + }, + "id": "SV-238289" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238292 ", + "rid": "SV-238292r654051_rule ", + "stig_id": "UBTU-20-010176 ", + "fix_id": "F-41461r654050_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238292.rb", + "line": 1 + }, + "id": "SV-238292" + }, + { + "title": "The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ", + "desc": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", + "descriptions": { + "default": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.", + "check": "The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II.", + "fix": "The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000191-GPOS-00080 ", + "gid": "V-238336 ", + "rid": "SV-238336r858538_rule ", + "stig_id": "UBTU-20-010415 ", + "fix_id": "F-41505r858537_fix ", + "cci": [ + "CCI-001233" + ], + "nist": [ + "SI-2 (2)" + ] + }, + "code": "control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238336.rb", + "line": 1 + }, + "id": "SV-238336" + }, + { + "title": "The Ubuntu operating system must be configured to use TCP syncookies. ", + "desc": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", + "descriptions": { + "default": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.", + "check": "Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000142-GPOS-00071 ", + "gid": "V-238333 ", + "rid": "SV-238333r654174_rule ", + "stig_id": "UBTU-20-010412 ", + "fix_id": "F-41502r654173_fix ", + "cci": [ + "CCI-001095" + ], + "nist": [ + "SC-5 (2)" + ] + }, + "code": "control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238333.rb", + "line": 1 + }, + "id": "SV-238333" + }, + { + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238320 ", + "rid": "SV-238320r832956_rule ", + "stig_id": "UBTU-20-010298 ", + "fix_id": "F-41489r832955_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238320.rb", + "line": 1 + }, + "id": "SV-238320" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238279 ", + "rid": "SV-238279r654012_rule ", + "stig_id": "UBTU-20-010163 ", + "fix_id": "F-41448r654011_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238279.rb", + "line": 1 + }, + "id": "SV-238279" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238241 ", + "rid": "SV-238241r853419_rule ", + "stig_id": "UBTU-20-010103 ", + "fix_id": "F-41410r653897_fix ", + "cci": [ + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" + ], + "nist": [ + "AU-12 c", + "AC-2 (4)" + ] + }, + "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238241.rb", + "line": 1 + }, + "id": "SV-238241" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", + "fix": "Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000474-GPOS-00219" + ], + "gid": "V-238271 ", + "rid": "SV-238271r808483_rule ", + "stig_id": "UBTU-20-010155 ", + "fix_id": "F-41440r808482_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238271.rb", + "line": 1 + }, + "id": "SV-238271" + }, + { + "title": "The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ", + "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", + "descriptions": { + "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.", + "check": "Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000126-GPOS-00066 ", + "gid": "V-238212 ", + "rid": "SV-238212r858521_rule ", + "stig_id": "UBTU-20-010036 ", + "fix_id": "F-41381r653810_fix ", + "cci": [ + "CCI-000879" + ], + "nist": [ + "MA-4 e" + ] + }, + "code": "control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238212.rb", + "line": 1 + }, + "id": "SV-238212" + }, + { + "title": "The Ubuntu operating system must not have the telnet package installed. ", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "descriptions": { + "default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "check": "Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding.", + "fix": "Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000074-GPOS-00042 ", + "gid": "V-238326 ", + "rid": "SV-238326r654153_rule ", + "stig_id": "UBTU-20-010405 ", + "fix_id": "F-41495r654152_fix ", + "cci": [ + "CCI-000197" + ], + "nist": [ + "IA-5 (1) (c)" + ] + }, + "code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238326.rb", + "line": 1 + }, + "id": "SV-238326" + }, + { + "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ", + "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "descriptions": { + "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding.", + "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3" + }, + "impact": 0, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000023-GPOS-00006 ", + "gid": "V-238198 ", + "rid": "SV-238198r653769_rule ", + "stig_id": "UBTU-20-010003 ", + "fix_id": "F-41367r653768_fix ", + "cci": [ + "CCI-000048" + ], + "nist": [ + "AC-8 a" + ] + }, + "code": "control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238198.rb", + "line": 1 + }, + "id": "SV-238198" + }, + { + "title": "The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", + "descriptions": { + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding.", + "fix": "Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000479-GPOS-00224 ", + "gid": "V-238321 ", + "rid": "SV-238321r853428_rule ", + "stig_id": "UBTU-20-010300 ", + "fix_id": "F-41490r654137_fix ", + "cci": [ + "CCI-001851" + ], + "nist": [ + "AU-4 (1)" + ] + }, + "code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238321.rb", + "line": 1 + }, + "id": "SV-238321" + }, + { + "title": "The Ubuntu operating system must be configured to preserve log records from failure events. ", + "desc": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", + "descriptions": { + "default": "Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.", + "check": "Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding.", + "fix": "Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000269-GPOS-00103 ", + "gid": "V-238353 ", + "rid": "SV-238353r654234_rule ", + "stig_id": "UBTU-20-010432 ", + "fix_id": "F-41522r654233_fix ", + "cci": [ + "CCI-001665" + ], + "nist": [ + "SC-24" + ] + }, + "code": "control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238353.rb", + "line": 1 + }, + "id": "SV-238353" + }, + { + "title": "The Ubuntu operating system library files must be group-owned by root or a system account. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding.", + "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238351 ", + "rid": "SV-238351r832962_rule ", + "stig_id": "UBTU-20-010430 ", + "fix_id": "F-41520r832961_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238351.rb", + "line": 1 + }, + "id": "SV-238351" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238283 ", + "rid": "SV-238283r654024_rule ", + "stig_id": "UBTU-20-010167 ", + "fix_id": "F-41452r654023_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238283.rb", + "line": 1 + }, + "id": "SV-238283" + }, + { + "title": "The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ", + "desc": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", + "descriptions": { + "default": "Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).", + "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.", + "fix": "Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000375-GPOS-00160 ", + "gid": "V-238230 ", + "rid": "SV-238230r853410_rule ", + "stig_id": "UBTU-20-010063 ", + "fix_id": "F-41399r653864_fix ", + "cci": [ + "CCI-001948" + ], + "nist": [ + "IA-2 (11)" + ] + }, + "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238230.rb", + "line": 1 + }, + "id": "SV-238230" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238239 ", + "rid": "SV-238239r853417_rule ", + "stig_id": "UBTU-20-010101 ", + "fix_id": "F-41408r653891_fix ", + "cci": [ + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" + ], + "nist": [ + "AC-2 (4)", + "AU-12 c" + ] + }, + "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238239.rb", + "line": 1 + }, + "id": "SV-238239" + }, + { + "title": "The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ", + "desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "descriptions": { + "default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.", + "check": "Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding.", + "fix": "Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000120-GPOS-00061 ", + "gid": "V-238325 ", + "rid": "SV-238325r654150_rule ", + "stig_id": "UBTU-20-010404 ", + "fix_id": "F-41494r654149_fix ", + "cci": [ + "CCI-000803" + ], + "nist": [ + "IA-7" + ] + }, + "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238325.rb", + "line": 1 + }, + "id": "SV-238325" + }, + { + "title": "The Ubuntu operating system must have an application firewall enabled. ", + "desc": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", + "descriptions": { + "default": "Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.", + "check": "Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding.", + "fix": "Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00232 ", + "gid": "V-238374 ", + "rid": "SV-238374r654297_rule ", + "stig_id": "UBTU-20-010454 ", + "fix_id": "F-41543r654296_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238374.rb", + "line": 1 + }, + "id": "SV-238374" + }, + { + "title": "The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", + "descriptions": { + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).", + "check": "If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding.", + "fix": "If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000355-GPOS-00143 ", + "gid": "V-238356 ", + "rid": "SV-238356r853431_rule ", + "stig_id": "UBTU-20-010435 ", + "fix_id": "F-41525r808491_fix ", + "cci": [ + "CCI-001891" + ], + "nist": [ + "AU-8 (1) (a)" + ] + }, + "code": "control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238356.rb", + "line": 1 + }, + "id": "SV-238356" + }, + { + "title": "The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238341 ", + "rid": "SV-238341r654198_rule ", + "stig_id": "UBTU-20-010420 ", + "fix_id": "F-41510r654197_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238341.rb", + "line": 1 + }, + "id": "SV-238341" + }, + { + "title": "The Ubuntu operating system must generate audit records for the /var/log/btmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238317 ", + "rid": "SV-238317r654126_rule ", + "stig_id": "UBTU-20-010279 ", + "fix_id": "F-41486r654125_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238317.rb", + "line": 1 + }, + "id": "SV-238317" + }, + { + "title": "The Ubuntu operating system must enforce a minimum 15-character password length. ", + "desc": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", + "descriptions": { + "default": "The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.", + "check": "Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000078-GPOS-00046 ", + "gid": "V-238225 ", + "rid": "SV-238225r832942_rule ", + "stig_id": "UBTU-20-010054 ", + "fix_id": "F-41394r653849_fix ", + "cci": [ + "CCI-000205" + ], + "nist": [ + "IA-5 (1) (a)" + ] + }, + "code": "control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238225.rb", + "line": 1 + }, + "id": "SV-238225" + }, + { + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000070-GPOS-00038 ", + "gid": "V-238222 ", + "rid": "SV-238222r653841_rule ", + "stig_id": "UBTU-20-010051 ", + "fix_id": "F-41391r653840_fix ", + "cci": [ + "CCI-000193" + ], + "nist": [ + "IA-5 (1) (a)" + ] + }, + "code": "control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238222.rb", + "line": 1 + }, + "id": "SV-238222" + }, + { + "title": "The Ubuntu operating system must not have accounts configured with blank or null passwords. ", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "descriptions": { + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "check": "Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding.", + "fix": "Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-251503 ", + "rid": "SV-251503r808506_rule ", + "stig_id": "UBTU-20-010462 ", + "fix_id": "F-54892r808505_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-251503.rb", + "line": 1 + }, + "id": "SV-251503" + }, + { + "title": "The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ", + "desc": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "descriptions": { + "default": "Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding.", + "fix": "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000023-GPOS-00006 ", + "gid": "V-238197 ", + "rid": "SV-238197r653766_rule ", + "stig_id": "UBTU-20-010002 ", + "fix_id": "F-41366r653765_fix ", + "cci": [ + "CCI-000048" + ], + "nist": [ + "AC-8 a" + ] + }, + "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238197.rb", + "line": 1 + }, + "id": "SV-238197" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238277 ", + "rid": "SV-238277r654006_rule ", + "stig_id": "UBTU-20-010161 ", + "fix_id": "F-41446r654005_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238277.rb", + "line": 1 + }, + "id": "SV-238277" + }, + { + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238318 ", + "rid": "SV-238318r654129_rule ", + "stig_id": "UBTU-20-010296 ", + "fix_id": "F-41487r654128_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238318.rb", + "line": 1 + }, + "id": "SV-238318" + }, + { + "title": "The Ubuntu operating system library files must be owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding.", + "fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238349 ", + "rid": "SV-238349r654222_rule ", + "stig_id": "UBTU-20-010428 ", + "fix_id": "F-41518r654221_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238349.rb", + "line": 1 + }, + "id": "SV-238349" + }, + { + "title": "The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ", + "desc": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", + "descriptions": { + "default": "When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.", + "check": "Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238220 ", + "rid": "SV-238220r858535_rule ", + "stig_id": "UBTU-20-010049 ", + "fix_id": "F-41389r653834_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238220.rb", + "line": 1 + }, + "id": "SV-238220" + }, + { + "title": "The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ", + "desc": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", + "descriptions": { + "default": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.", + "check": "Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding.", + "fix": "Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000403-GPOS-00182 ", + "gid": "V-238364 ", + "rid": "SV-238364r860824_rule ", + "stig_id": "UBTU-20-010443 ", + "fix_id": "F-41533r860823_fix ", + "cci": [ + "CCI-002470" + ], + "nist": [ + "SC-23 (5)" + ] + }, + "code": "control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238364.rb", + "line": 1 + }, + "id": "SV-238364" + }, + { + "title": "The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238378 ", + "rid": "SV-238378r832971_rule ", + "stig_id": "UBTU-20-010458 ", + "fix_id": "F-41547r832970_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238378.rb", + "line": 1 + }, + "id": "SV-238378" + }, + { + "title": "The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "descriptions": { + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding.", + "fix": "Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028", + "SRG-OS-000059-GPOS-00029" + ], + "gid": "V-238246 ", + "rid": "SV-238246r653913_rule ", + "stig_id": "UBTU-20-010123 ", + "fix_id": "F-41415r653912_fix ", + "cci": [ + "CCI-000162" + ], + "nist": [ + "AU-9 a" + ] + }, + "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238246.rb", + "line": 1 + }, + "id": "SV-238246" + }, + { + "title": "The Ubuntu operating system must not allow unattended or automatic login via SSH. ", + "desc": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", + "descriptions": { + "default": "Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.", + "check": "Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00229 ", + "gid": "V-238218 ", + "rid": "SV-238218r858531_rule ", + "stig_id": "UBTU-20-010047 ", + "fix_id": "F-41387r653828_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238218.rb", + "line": 1 + }, + "id": "SV-238218" + }, + { + "title": "The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ", + "desc": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "descriptions": { + "default": "Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.", + "check": "Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding.", + "fix": "The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000446-GPOS-00200 ", + "gid": "V-238236 ", + "rid": "SV-238236r853415_rule ", + "stig_id": "UBTU-20-010074 ", + "fix_id": "F-41405r653882_fix ", + "cci": [ + "CCI-002699" + ], + "nist": [ + "SI-6 b" + ] + }, + "code": "control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238236.rb", + "line": 1 + }, + "id": "SV-238236" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" + ], + "gid": "V-238268 ", + "rid": "SV-238268r808480_rule ", + "stig_id": "UBTU-20-010152 ", + "fix_id": "F-41437r808479_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238268.rb", + "line": 1 + }, + "id": "SV-238268" + }, + { + "title": "The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ", + "desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "descriptions": { + "default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.", + "check": "Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding.", + "fix": "Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000057-GPOS-00027 ", + "satisfies": [ + "SRG-OS-000057-GPOS-00027", + "SRG-OS-000058-GPOS-00028" + ], + "gid": "V-238245 ", + "rid": "SV-238245r653910_rule ", + "stig_id": "UBTU-20-010122 ", + "fix_id": "F-41414r653909_fix ", + "cci": [ + "CCI-000162", + "CCI-000163" + ], + "nist": [ + "AU-9 a" + ] + }, + "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238245.rb", + "line": 1 + }, + "id": "SV-238245" + }, + { + "title": "The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.", + "check": "Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00225 ", + "gid": "V-238228 ", + "rid": "SV-238228r653859_rule ", + "stig_id": "UBTU-20-010057 ", + "fix_id": "F-41397r653858_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238228.rb", + "line": 1 + }, + "id": "SV-238228" + }, + { + "title": "The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ", + "desc": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", + "descriptions": { + "default": "Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.", + "check": "Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding.", + "fix": "Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000423-GPOS-00187 ", + "satisfies": [ + "SRG-OS-000423-GPOS-00187", + "SRG-OS-000425-GPOS-00189", + "SRG-OS-000426-GPOS-00190" + ], + "gid": "V-238215 ", + "rid": "SV-238215r853406_rule ", + "stig_id": "UBTU-20-010042 ", + "fix_id": "F-41384r653819_fix ", + "cci": [ + "CCI-002418", + "CCI-002420", + "CCI-002422" + ], + "nist": [ + "SC-8", + "SC-8 (2)" + ] + }, + "code": "control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238215.rb", + "line": 1 + }, + "id": "SV-238215" + }, + { + "title": "The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-238287 ", + "rid": "SV-238287r654036_rule ", + "stig_id": "UBTU-20-010171 ", + "fix_id": "F-41456r654035_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238287.rb", + "line": 1 + }, + "id": "SV-238287" + }, + { + "title": "The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ", + "desc": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", + "descriptions": { + "default": "Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.", + "check": "Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding.", + "fix": "Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000356-GPOS-00144 ", + "gid": "V-238357 ", + "rid": "SV-238357r853432_rule ", + "stig_id": "UBTU-20-010436 ", + "fix_id": "F-41526r654245_fix ", + "cci": [ + "CCI-002046" + ], + "nist": [ + "AU-8 (1) (b)" + ] + }, + "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238357.rb", + "line": 1 + }, + "id": "SV-238357" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238291 ", + "rid": "SV-238291r654048_rule ", + "stig_id": "UBTU-20-010175 ", + "fix_id": "F-41460r654047_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238291.rb", + "line": 1 + }, + "id": "SV-238291" + }, + { + "title": "The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ", + "desc": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", + "descriptions": { + "default": "Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.", + "check": "Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding.", + "fix": "Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00228 ", + "gid": "V-238209 ", + "rid": "SV-238209r653802_rule ", + "stig_id": "UBTU-20-010016 ", + "fix_id": "F-41378r653801_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238209.rb", + "line": 1 + }, + "id": "SV-238209" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238255 ", + "rid": "SV-238255r653940_rule ", + "stig_id": "UBTU-20-010139 ", + "fix_id": "F-41424r653939_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238255.rb", + "line": 1 + }, + "id": "SV-238255" + }, + { + "title": "The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ", + "desc": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", + "descriptions": { + "default": "Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.", + "check": "Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding.", + "fix": "Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000279-GPOS-00109 ", + "gid": "V-238207 ", + "rid": "SV-238207r853404_rule ", + "stig_id": "UBTU-20-010013 ", + "fix_id": "F-41376r653795_fix ", + "cci": [ + "CCI-002361" + ], + "nist": [ + "AC-12" + ] + }, + "code": "control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238207.rb", + "line": 1 + }, + "id": "SV-238207" + }, + { + "title": "The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ", + "desc": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", + "descriptions": { + "default": "Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.", + "check": "Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding.", + "fix": "If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000123-GPOS-00064 ", + "gid": "V-238331 ", + "rid": "SV-238331r654168_rule ", + "stig_id": "UBTU-20-010410 ", + "fix_id": "F-41500r654167_fix ", + "cci": [ + "CCI-001682" + ], + "nist": [ + "AC-2 (2)" + ] + }, + "code": "control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238331.rb", + "line": 1 + }, + "id": "SV-238331" + }, + { + "title": "The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238340 ", + "rid": "SV-238340r654195_rule ", + "stig_id": "UBTU-20-010419 ", + "fix_id": "F-41509r654194_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238340.rb", + "line": 1 + }, + "id": "SV-238340" + }, + { + "title": "The Ubuntu operating system must configure the audit tools to be group-owned by root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding.", + "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000256-GPOS-00097 ", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098" + ], + "gid": "V-238302 ", + "rid": "SV-238302r654081_rule ", + "stig_id": "UBTU-20-010201 ", + "fix_id": "F-41471r654080_fix ", + "cci": [ + "CCI-001493", + "CCI-001494" + ], + "nist": [ + "AU-9 a", + "AU-9" + ] + }, + "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238302.rb", + "line": 1 + }, + "id": "SV-238302" + }, + { + "title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000477-GPOS-00222 ", + "gid": "V-238319 ", + "rid": "SV-238319r654132_rule ", + "stig_id": "UBTU-20-010297 ", + "fix_id": "F-41488r654131_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238319.rb", + "line": 1 + }, + "id": "SV-238319" + }, + { + "title": "The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ", + "desc": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", + "descriptions": { + "default": "Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.", + "check": "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding.", + "fix": "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000068-GPOS-00036 ", + "gid": "V-238201 ", + "rid": "SV-238201r832933_rule ", + "stig_id": "UBTU-20-010006 ", + "fix_id": "F-41370r653777_fix ", + "cci": [ + "CCI-000187" + ], + "nist": [ + "IA-5 (2) (a) (2)" + ] + }, + "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238201.rb", + "line": 1 + }, + "id": "SV-238201" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000463-GPOS-00207", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238238 ", + "rid": "SV-238238r853416_rule ", + "stig_id": "UBTU-20-010100 ", + "fix_id": "F-41407r653888_fix ", + "cci": [ + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" + ], + "nist": [ + "AC-2 (4)", + "AU-12 c" + ] + }, + "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238238.rb", + "line": 1 + }, + "id": "SV-238238" + }, + { + "title": "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ", + "desc": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", + "descriptions": { + "default": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000185-GPOS-00079 ", + "gid": "V-238335 ", + "rid": "SV-238335r654180_rule ", + "stig_id": "UBTU-20-010414 ", + "fix_id": "F-41504r654179_fix ", + "cci": [ + "CCI-001199" + ], + "nist": [ + "SC-28" + ] + }, + "code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238335.rb", + "line": 1 + }, + "id": "SV-238335" + }, + { + "title": "The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ", + "desc": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", + "descriptions": { + "default": "Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.", + "check": "Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding.", + "fix": "Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000396-GPOS-00176 ", + "satisfies": [ + "SRG-OS-000396-GPOS-00176", + "SRG-OS-000478-GPOS-00223" + ], + "gid": "V-238363 ", + "rid": "SV-238363r853438_rule ", + "stig_id": "UBTU-20-010442 ", + "fix_id": "F-41532r654263_fix ", + "cci": [ + "CCI-002450" + ], + "nist": [ + "SC-13 b" + ] + }, + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238363.rb", + "line": 1 + }, + "id": "SV-238363" + }, + { + "title": "The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ", + "desc": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", + "descriptions": { + "default": "If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.", + "check": "Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000072-GPOS-00040 ", + "gid": "V-238224 ", + "rid": "SV-238224r653847_rule ", + "stig_id": "UBTU-20-010053 ", + "fix_id": "F-41393r653846_fix ", + "cci": [ + "CCI-000195" + ], + "nist": [ + "IA-5 (1) (b)" + ] + }, + "code": "control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238224.rb", + "line": 1 + }, + "id": "SV-238224" + }, + { + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.", + "check": "Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000266-GPOS-00101 ", + "gid": "V-238226 ", + "rid": "SV-238226r653853_rule ", + "stig_id": "UBTU-20-010055 ", + "fix_id": "F-41395r653852_fix ", + "cci": [ + "CCI-001619" + ], + "nist": [ + "IA-5 (1) (a)" + ] + }, + "code": "control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238226.rb", + "line": 1 + }, + "id": "SV-238226" + }, + { + "title": "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ", + "desc": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "descriptions": { + "default": "Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"", + "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding.", + "fix": "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000228-GPOS-00088 ", + "satisfies": [ + "SRG-OS-000228-GPOS-00088", + "SRG-OS-000023-GPOS-00006" + ], + "gid": "V-238214 ", + "rid": "SV-238214r858525_rule ", + "stig_id": "UBTU-20-010038 ", + "fix_id": "F-41383r653816_fix ", + "cci": [ + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ], + "nist": [ + "AC-8 a", + "AC-8 c 1", + "AC-8 c 2", + "AC-8 c 3" + ] + }, + "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238214.rb", + "line": 1 + }, + "id": "SV-238214" + }, + { + "title": "The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "descriptions": { + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238249 ", + "rid": "SV-238249r653922_rule ", + "stig_id": "UBTU-20-010133 ", + "fix_id": "F-41418r653921_fix ", + "cci": [ + "CCI-000171" + ], + "nist": [ + "AU-12 b" + ] + }, + "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238249.rb", + "line": 1 + }, + "id": "SV-238249" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238240 ", + "rid": "SV-238240r853418_rule ", + "stig_id": "UBTU-20-010102 ", + "fix_id": "F-41409r653894_fix ", + "cci": [ + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" + ], + "nist": [ + "AC-2 (4)", + "AU-12 c" + ] + }, + "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238240.rb", + "line": 1 + }, + "id": "SV-238240" + }, + { + "title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ", + "desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "descriptions": { + "default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.", + "check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000004-GPOS-00004 ", + "satisfies": [ + "SRG-OS-000004-GPOS-00004", + "SRG-OS-000239-GPOS-00089", + "SRG-OS-000240-GPOS-00090", + "SRG-OS-000241-GPOS-00091", + "SRG-OS-000303-GPOS-00120", + "SRG-OS-000458-GPOS-00203", + "SRG-OS-000476-GPOS-00221" + ], + "gid": "V-238242 ", + "rid": "SV-238242r853420_rule ", + "stig_id": "UBTU-20-010104 ", + "fix_id": "F-41411r653900_fix ", + "cci": [ + "CCI-000018", + "CCI-000172", + "CCI-001403", + "CCI-001404", + "CCI-001405", + "CCI-002130" + ], + "nist": [ + "AC-2 (4)", + "AU-12 c" + ] + }, + "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238242.rb", + "line": 1 + }, + "id": "SV-238242" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238294 ", + "rid": "SV-238294r654057_rule ", + "stig_id": "UBTU-20-010178 ", + "fix_id": "F-41463r654056_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238294.rb", + "line": 1 + }, + "id": "SV-238294" + }, + { + "title": "The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ", + "desc": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", + "descriptions": { + "default": "In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.", + "check": "Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000326-GPOS-00126 ", + "satisfies": [ + "SRG-OS-000326-GPOS-00126", + "SRG-OS-000327-GPOS-00127" + ], + "gid": "V-238304 ", + "rid": "SV-238304r853422_rule ", + "stig_id": "UBTU-20-010211 ", + "fix_id": "F-41473r654086_fix ", + "cci": [ + "CCI-002233", + "CCI-002234" + ], + "nist": [ + "AC-6 (8)", + "AC-6 (9)" + ] + }, + "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238304.rb", + "line": 1 + }, + "id": "SV-238304" + }, + { + "title": "The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ", + "desc": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", + "descriptions": { + "default": "Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.", + "check": "Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding.", + "fix": "Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000380-GPOS-00165 ", + "gid": "V-238361 ", + "rid": "SV-238361r853436_rule ", + "stig_id": "UBTU-20-010440 ", + "fix_id": "F-41530r654257_fix ", + "cci": [ + "CCI-002041" + ], + "nist": [ + "IA-5 (1) (f)" + ] + }, + "code": "control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238361.rb", + "line": 1 + }, + "id": "SV-238361" + }, + { + "title": "The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ", + "desc": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", + "descriptions": { + "default": "Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.", + "check": "Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding.", + "fix": "Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000437-GPOS-00194 ", + "gid": "V-238370 ", + "rid": "SV-238370r853447_rule ", + "stig_id": "UBTU-20-010449 ", + "fix_id": "F-41539r654284_fix ", + "cci": [ + "CCI-002617" + ], + "nist": [ + "SI-2 (6)" + ] + }, + "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238370.rb", + "line": 1 + }, + "id": "SV-238370" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" + ], + "gid": "V-238264 ", + "rid": "SV-238264r808477_rule ", + "stig_id": "UBTU-20-010148 ", + "fix_id": "F-41433r808476_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238264.rb", + "line": 1 + }, + "id": "SV-238264" + }, + { + "title": "The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ", + "desc": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", + "descriptions": { + "default": "Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.", + "check": "Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding.", + "fix": "Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000373-GPOS-00156 ", + "satisfies": [ + "SRG-OS-000373-GPOS-00156", + "SRG-OS-000373-GPOS-00157" + ], + "gid": "V-238208 ", + "rid": "SV-238208r853405_rule ", + "stig_id": "UBTU-20-010014 ", + "fix_id": "F-41377r653798_fix ", + "cci": [ + "CCI-002038" + ], + "nist": [ + "IA-11" + ] + }, + "code": "control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238208.rb", + "line": 1 + }, + "id": "SV-238208" + }, + { + "title": "The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ", + "desc": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.", + "descriptions": { + "default": "Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.", + "check": "Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding.", + "fix": "Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000342-GPOS-00133 ", + "satisfies": [ + "SRG-OS-000342-GPOS-00133", + "SRG-OS-000479-GPOS-00224" + ], + "gid": "V-238306 ", + "rid": "SV-238306r853424_rule ", + "stig_id": "UBTU-20-010216 ", + "fix_id": "F-41475r654092_fix ", + "cci": [ + "CCI-001851" + ], + "nist": [ + "AU-4 (1)" + ] + }, + "code": "control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238306.rb", + "line": 1 + }, + "id": "SV-238306" + }, + { + "title": "The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ", + "desc": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", + "descriptions": { + "default": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.", + "check": "If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding.", + "fix": "Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000383-GPOS-00166 ", + "gid": "V-238362 ", + "rid": "SV-238362r853437_rule ", + "stig_id": "UBTU-20-010441 ", + "fix_id": "F-41531r654260_fix ", + "cci": [ + "CCI-002007" + ], + "nist": [ + "IA-5 (13)" + ] + }, + "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238362.rb", + "line": 1 + }, + "id": "SV-238362" + }, + { + "title": "The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ", + "desc": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", + "descriptions": { + "default": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.", + "check": "Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding.", + "fix": "Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000046-GPOS-00022 ", + "gid": "V-238243 ", + "rid": "SV-238243r653904_rule ", + "stig_id": "UBTU-20-010117 ", + "fix_id": "F-41412r653903_fix ", + "cci": [ + "CCI-000139" + ], + "nist": [ + "AU-5 a" + ] + }, + "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238243.rb", + "line": 1 + }, + "id": "SV-238243" + }, + { + "title": "The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ", + "desc": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "descriptions": { + "default": "Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.", + "check": "Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding.", + "fix": "Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000063-GPOS-00032 ", + "gid": "V-238251 ", + "rid": "SV-238251r653928_rule ", + "stig_id": "UBTU-20-010135 ", + "fix_id": "F-41420r653927_fix ", + "cci": [ + "CCI-000171" + ], + "nist": [ + "AU-12 b" + ] + }, + "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238251.rb", + "line": 1 + }, + "id": "SV-238251" + }, + { + "title": "The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ", + "desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "descriptions": { + "default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.", + "check": "Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000377-GPOS-00162 ", + "gid": "V-238232 ", + "rid": "SV-238232r853412_rule ", + "stig_id": "UBTU-20-010065 ", + "fix_id": "F-41401r653870_fix ", + "cci": [ + "CCI-001954" + ], + "nist": [ + "IA-2 (12)" + ] + }, + "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238232.rb", + "line": 1 + }, + "id": "SV-238232" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000477-GPOS-00222" + ], + "gid": "V-238297 ", + "rid": "SV-238297r802387_rule ", + "stig_id": "UBTU-20-010181 ", + "fix_id": "F-41466r654065_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238297.rb", + "line": 1 + }, + "id": "SV-238297" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000471-GPOS-00216" + ], + "gid": "V-238295 ", + "rid": "SV-238295r808486_rule ", + "stig_id": "UBTU-20-010179 ", + "fix_id": "F-41464r808485_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238295.rb", + "line": 1 + }, + "id": "SV-238295" + }, + { + "title": "The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ", + "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "descriptions": { + "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "check": "Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000433-GPOS-00192 ", + "gid": "V-238368 ", + "rid": "SV-238368r853445_rule ", + "stig_id": "UBTU-20-010447 ", + "fix_id": "F-41537r654278_fix ", + "cci": [ + "CCI-002824" + ], + "nist": [ + "SI-16" + ] + }, + "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238368.rb", + "line": 1 + }, + "id": "SV-238368" + }, + { + "title": "The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ", + "desc": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", + "descriptions": { + "default": "Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.", + "check": "Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding.", + "fix": "Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000420-GPOS-00186 ", + "gid": "V-238367 ", + "rid": "SV-238367r853444_rule ", + "stig_id": "UBTU-20-010446 ", + "fix_id": "F-41536r654275_fix ", + "cci": [ + "CCI-002385" + ], + "nist": [ + "SC-5 a" + ] + }, + "code": "control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238367.rb", + "line": 1 + }, + "id": "SV-238367" + }, + { + "title": "The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ", + "desc": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", + "descriptions": { + "default": "Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.", + "check": "Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000125-GPOS-00065 ", + "gid": "V-238211 ", + "rid": "SV-238211r858519_rule ", + "stig_id": "UBTU-20-010035 ", + "fix_id": "F-41380r653807_fix ", + "cci": [ + "CCI-000877" + ], + "nist": [ + "MA-4 c" + ] + }, + "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238211.rb", + "line": 1 + }, + "id": "SV-238211" + }, + { + "title": "The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ", + "desc": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", + "descriptions": { + "default": "Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.", + "check": "Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000066-GPOS-00034 ", + "gid": "V-238229 ", + "rid": "SV-238229r653862_rule ", + "stig_id": "UBTU-20-010060 ", + "fix_id": "F-41398r653861_fix ", + "cci": [ + "CCI-000185" + ], + "nist": [ + "IA-5 (2) (b) (1)" + ] + }, + "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238229.rb", + "line": 1 + }, + "id": "SV-238229" + }, + { + "title": "The Ubuntu operating system must configure audit tools to be owned by root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding.", + "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000256-GPOS-00097 ", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098" + ], + "gid": "V-238301 ", + "rid": "SV-238301r654078_rule ", + "stig_id": "UBTU-20-010200 ", + "fix_id": "F-41470r654077_fix ", + "cci": [ + "CCI-001493", + "CCI-001494" + ], + "nist": [ + "AU-9 a", + "AU-9" + ] + }, + "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238301.rb", + "line": 1 + }, + "id": "SV-238301" + }, + { + "title": "The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000462-GPOS-00206" + ], + "gid": "V-238258 ", + "rid": "SV-238258r808474_rule ", + "stig_id": "UBTU-20-010142 ", + "fix_id": "F-41427r808473_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238258.rb", + "line": 1 + }, + "id": "SV-238258" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238284 ", + "rid": "SV-238284r654027_rule ", + "stig_id": "UBTU-20-010168 ", + "fix_id": "F-41453r654026_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238284.rb", + "line": 1 + }, + "id": "SV-238284" + }, + { + "title": "The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ", + "desc": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", + "descriptions": { + "default": "Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.", + "check": "Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000205-GPOS-00083 ", + "gid": "V-238337 ", + "rid": "SV-238337r654186_rule ", + "stig_id": "UBTU-20-010416 ", + "fix_id": "F-41506r654185_fix ", + "cci": [ + "CCI-001312" + ], + "nist": [ + "SI-11 a" + ] + }, + "code": "control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238337.rb", + "line": 1 + }, + "id": "SV-238337" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238288 ", + "rid": "SV-238288r833012_rule ", + "stig_id": "UBTU-20-010172 ", + "fix_id": "F-41457r832949_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238288.rb", + "line": 1 + }, + "id": "SV-238288" + }, + { + "title": "The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ", + "desc": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", + "descriptions": { + "default": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.", + "check": "Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000076-GPOS-00044 ", + "gid": "V-238203 ", + "rid": "SV-238203r653784_rule ", + "stig_id": "UBTU-20-010008 ", + "fix_id": "F-41372r653783_fix ", + "cci": [ + "CCI-000199" + ], + "nist": [ + "IA-5 (1) (d)" + ] + }, + "code": "control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238203.rb", + "line": 1 + }, + "id": "SV-238203" + }, + { + "title": "The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ", + "desc": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", + "descriptions": { + "default": "If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.", + "check": "Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000392-GPOS-00172 ", + "satisfies": [ + "SRG-OS-000392-GPOS-00172", + "SRG-OS-000471-GPOS-00215" + ], + "gid": "V-238309 ", + "rid": "SV-238309r853427_rule ", + "stig_id": "UBTU-20-010244 ", + "fix_id": "F-41478r654101_fix ", + "cci": [ + "CCI-000172", + "CCI-002884" + ], + "nist": [ + "AU-12 c", + "MA-4 (1) (a)" + ] + }, + "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238309.rb", + "line": 1 + }, + "id": "SV-238309" + }, + { + "title": "The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ", + "desc": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", + "descriptions": { + "default": "If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.", + "check": "Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available.", + "fix": "Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity." + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000343-GPOS-00134 ", + "gid": "V-238307 ", + "rid": "SV-238307r853425_rule ", + "stig_id": "UBTU-20-010217 ", + "fix_id": "F-41476r654095_fix ", + "cci": [ + "CCI-001855" + ], + "nist": [ + "AU-5 (1)" + ] + }, + "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238307.rb", + "line": 1 + }, + "id": "SV-238307" + }, + { + "title": "The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ", + "desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", + "descriptions": { + "default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.", + "check": "Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000118-GPOS-00060 ", + "gid": "V-238330 ", + "rid": "SV-238330r654165_rule ", + "stig_id": "UBTU-20-010409 ", + "fix_id": "F-41499r654164_fix ", + "cci": [ + "CCI-000795" + ], + "nist": [ + "IA-4 e" + ] + }, + "code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238330.rb", + "line": 1 + }, + "id": "SV-238330" + }, + { + "title": "The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ", + "desc": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", + "descriptions": { + "default": "A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.", + "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding.", + "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238380 ", + "rid": "SV-238380r832974_rule ", + "stig_id": "UBTU-20-010460 ", + "fix_id": "F-41549r832973_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238380.rb", + "line": 1 + }, + "id": "SV-238380" + }, + { + "title": "The Ubuntu operating system must be configured to use AppArmor. ", + "desc": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", + "descriptions": { + "default": "Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).", + "check": "Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding.", + "fix": "Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000368-GPOS-00154 ", + "satisfies": [ + "SRG-OS-000368-GPOS-00154", + "SRG-OS-000312-GPOS-00122", + "SRG-OS-000312-GPOS-00123", + "SRG-OS-000312-GPOS-00124", + "SRG-OS-000324-GPOS-00125", + "SRG-OS-000370-GPOS-00155" + ], + "gid": "V-238360 ", + "rid": "SV-238360r853435_rule ", + "stig_id": "UBTU-20-010439 ", + "fix_id": "F-41529r654254_fix ", + "cci": [ + "CCI-001764", + "CCI-001774", + "CCI-002165", + "CCI-002235" + ], + "nist": [ + "CM-7 (2)", + "CM-7 (5) (b)", + "AC-3 (4)", + "AC-6 (10)" + ] + }, + "code": "control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238360.rb", + "line": 1 + }, + "id": "SV-238360" + }, + { + "title": "The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ", + "desc": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", + "descriptions": { + "default": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.", + "check": "Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding.", + "fix": "Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000329-GPOS-00128 ", + "satisfies": [ + "SRG-OS-000329-GPOS-00128", + "SRG-OS-000021-GPOS-00005" + ], + "gid": "V-238235 ", + "rid": "SV-238235r853414_rule ", + "stig_id": "UBTU-20-010072 ", + "fix_id": "F-41404r802382_fix ", + "cci": [ + "CCI-000044", + "CCI-002238" + ], + "nist": [ + "AC-7 a", + "AC-7 b" + ] + }, + "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238235.rb", + "line": 1 + }, + "id": "SV-238235" + }, + { + "title": "The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ", + "desc": "Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.", + "descriptions": { + "default": "Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.", + "check": "Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\"" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000378-GPOS-00163 ", + "gid": "V-251505 ", + "rid": "SV-251505r853450_rule ", + "stig_id": "UBTU-20-010461 ", + "fix_id": "F-54894r808511_fix ", + "cci": [ + "CCI-001958" + ], + "nist": [ + "IA-3" + ] + }, + "code": "control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-251505.rb", + "line": 1 + }, + "id": "SV-251505" + }, + { + "title": "The Ubuntu operating system must initiate session audits at system start-up. ", + "desc": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", + "descriptions": { + "default": "If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.", + "check": "Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding.", + "fix": "Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000254-GPOS-00095 ", + "gid": "V-238299 ", + "rid": "SV-238299r654072_rule ", + "stig_id": "UBTU-20-010198 ", + "fix_id": "F-41468r654071_fix ", + "cci": [ + "CCI-001464" + ], + "nist": [ + "AU-14 (1)" + ] + }, + "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238299.rb", + "line": 1 + }, + "id": "SV-238299" + }, + { + "title": "The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ", + "desc": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", + "descriptions": { + "default": "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.", + "check": "Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding.", + "fix": "If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000184-GPOS-00078 ", + "gid": "V-238334 ", + "rid": "SV-238334r654177_rule ", + "stig_id": "UBTU-20-010413 ", + "fix_id": "F-41503r654176_fix ", + "cci": [ + "CCI-001190" + ], + "nist": [ + "SC-24" + ] + }, + "code": "control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238334.rb", + "line": 1 + }, + "id": "SV-238334" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238254 ", + "rid": "SV-238254r653937_rule ", + "stig_id": "UBTU-20-010138 ", + "fix_id": "F-41423r653936_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238254.rb", + "line": 1 + }, + "id": "SV-238254" + }, + { + "title": "The Ubuntu operating system must not allow accounts configured with blank or null passwords. ", + "desc": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "descriptions": { + "default": "If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.", + "check": "To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding.", + "fix": "If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords." + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-251504 ", + "rid": "SV-251504r832977_rule ", + "stig_id": "UBTU-20-010463 ", + "fix_id": "F-54893r832976_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-251504.rb", + "line": 1 + }, + "id": "SV-251504" + }, + { + "title": "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ", + "desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", + "descriptions": { + "default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.", + "check": "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000075-GPOS-00043 ", + "gid": "V-238202 ", + "rid": "SV-238202r653781_rule ", + "stig_id": "UBTU-20-010007 ", + "fix_id": "F-41371r653780_fix ", + "cci": [ + "CCI-000198" + ], + "nist": [ + "IA-5 (1) (d)" + ] + }, + "code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238202.rb", + "line": 1 + }, + "id": "SV-238202" + }, + { + "title": "The Ubuntu operating system library directories must be group-owned by root. ", + "desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding.", + "fix": "Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238352 ", + "rid": "SV-238352r654231_rule ", + "stig_id": "UBTU-20-010431 ", + "fix_id": "F-41521r654230_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238352.rb", + "line": 1 + }, + "id": "SV-238352" + }, + { + "title": "The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "satisfies": [ + "SRG-OS-000064-GPOS-00033", + "SRG-OS-000470-GPOS-00214", + "SRG-OS-000473-GPOS-00218" + ], + "gid": "V-238286 ", + "rid": "SV-238286r654033_rule ", + "stig_id": "UBTU-20-010170 ", + "fix_id": "F-41455r654032_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238286.rb", + "line": 1 + }, + "id": "SV-238286" + }, + { + "title": "The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ", + "desc": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", + "descriptions": { + "default": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.", + "check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding.", + "fix": "Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000105-GPOS-00052 ", + "satisfies": [ + "SRG-OS-000105-GPOS-00052", + "SRG-OS-000106-GPOS-00053", + "SRG-OS-000107-GPOS-00054", + "SRG-OS-000108-GPOS-00055" + ], + "gid": "V-238210 ", + "rid": "SV-238210r858517_rule ", + "stig_id": "UBTU-20-010033 ", + "fix_id": "F-41379r653804_fix ", + "cci": [ + "CCI-000765", + "CCI-000766", + "CCI-000767", + "CCI-000768" + ], + "nist": [ + "IA-2 (1)", + "IA-2 (2)", + "IA-2 (3)", + "IA-2 (4)" + ] + }, + "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238210.rb", + "line": 1 + }, + "id": "SV-238210" + }, + { + "title": "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding.", + "fix": "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238342 ", + "rid": "SV-238342r654201_rule ", + "stig_id": "UBTU-20-010421 ", + "fix_id": "F-41511r654200_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238342.rb", + "line": 1 + }, + "id": "SV-238342" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238280 ", + "rid": "SV-238280r654015_rule ", + "stig_id": "UBTU-20-010164 ", + "fix_id": "F-41449r654014_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238280.rb", + "line": 1 + }, + "id": "SV-238280" + }, + { + "title": "The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.", + "check": "Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000468-GPOS-00212 ", + "gid": "V-238310 ", + "rid": "SV-238310r832953_rule ", + "stig_id": "UBTU-20-010267 ", + "fix_id": "F-41479r832952_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238310.rb", + "line": 1 + }, + "id": "SV-238310" + }, + { + "title": "Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ", + "desc": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", + "descriptions": { + "default": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.", + "check": "Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding.", + "fix": "Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000080-GPOS-00048 ", + "gid": "V-238204 ", + "rid": "SV-238204r832936_rule ", + "stig_id": "UBTU-20-010009 ", + "fix_id": "F-41373r832935_fix ", + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238204.rb", + "line": 1 + }, + "id": "SV-238204" + }, + { + "title": "The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ", + "desc": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.", + "descriptions": { + "default": "The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.", + "check": "Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding.", + "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service" + }, + "impact": 0.7, + "refs": [], + "tags": { + "severity": "high ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238219 ", + "rid": "SV-238219r858533_rule ", + "stig_id": "UBTU-20-010048 ", + "fix_id": "F-41388r653831_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238219.rb", + "line": 1 + }, + "id": "SV-238219" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238257 ", + "rid": "SV-238257r653946_rule ", + "stig_id": "UBTU-20-010141 ", + "fix_id": "F-41426r653945_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238257.rb", + "line": 1 + }, + "id": "SV-238257" + }, + { + "title": "The Ubuntu operating system must have directories that contain system commands owned by\nroot. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238345 ", + "rid": "SV-238345r654210_rule ", + "stig_id": "UBTU-20-010424 ", + "fix_id": "F-41514r654209_fix ", + "cci": [ + "CCI-001495" + ], + "nist": [ + "AU-9" + ] + }, + "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238345.rb", + "line": 1 + }, + "id": "SV-238345" + }, + { + "title": "The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ", + "desc": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "descriptions": { + "default": "If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.", + "check": "Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding.", + "fix": "Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000259-GPOS-00100 ", + "gid": "V-238376 ", + "rid": "SV-238376r654303_rule ", + "stig_id": "UBTU-20-010456 ", + "fix_id": "F-41545r654302_fix ", + "cci": [ + "CCI-001499" + ], + "nist": [ + "CM-5 (6)" + ] + }, + "code": "control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238376.rb", + "line": 1 + }, + "id": "SV-238376" + }, + { + "title": "The Ubuntu operating system must monitor remote access methods. ", + "desc": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "descriptions": { + "default": "Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check": "Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding.", + "fix": "Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000032-GPOS-00013 ", + "gid": "V-238324 ", + "rid": "SV-238324r832959_rule ", + "stig_id": "UBTU-20-010403 ", + "fix_id": "F-41493r832958_fix ", + "cci": [ + "CCI-000067" + ], + "nist": [ + "AC-17 (1)" + ] + }, + "code": "control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238324.rb", + "line": 1 + }, + "id": "SV-238324" + }, + { + "title": "The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ", + "desc": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", + "descriptions": { + "default": "If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.", + "check": "To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding.", + "fix": "To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000359-GPOS-00146 ", + "gid": "V-238308 ", + "rid": "SV-238308r853426_rule ", + "stig_id": "UBTU-20-010230 ", + "fix_id": "F-41477r654098_fix ", + "cci": [ + "CCI-001890" + ], + "nist": [ + "AU-8 b" + ] + }, + "code": "control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238308.rb", + "line": 1 + }, + "id": "SV-238308" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238290 ", + "rid": "SV-238290r654045_rule ", + "stig_id": "UBTU-20-010174 ", + "fix_id": "F-41459r654044_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238290.rb", + "line": 1 + }, + "id": "SV-238290" + }, + { + "title": "The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238316 ", + "rid": "SV-238316r654123_rule ", + "stig_id": "UBTU-20-010278 ", + "fix_id": "F-41485r654122_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238316.rb", + "line": 1 + }, + "id": "SV-238316" + }, + { + "title": "The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding.", + "fix": "Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000258-GPOS-00099 ", + "gid": "V-238346 ", + "rid": "SV-238346r654213_rule ", + "stig_id": "UBTU-20-010425 ", + "fix_id": "F-41515r654212_fix ", + "cci": [ + "CCI-001495" + ], + "nist": [ + "AU-9" + ] + }, + "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238346.rb", + "line": 1 + }, + "id": "SV-238346" + }, + { + "title": "The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ", + "desc": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", + "descriptions": { + "default": "A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.", + "check": "Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding.", + "fix": "Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000030-GPOS-00011 ", + "satisfies": [ + "SRG-OS-000030-GPOS-00011", + "SRG-OS-000031-GPOS-00012" + ], + "gid": "V-238200 ", + "rid": "SV-238200r653775_rule ", + "stig_id": "UBTU-20-010005 ", + "fix_id": "F-41369r653774_fix ", + "cci": [ + "CCI-000058", + "CCI-000060" + ], + "nist": [ + "AC-11 a", + "AC-11 (1)" + ] + }, + "code": "control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238200.rb", + "line": 1 + }, + "id": "SV-238200" + }, + { + "title": "The Ubuntu operating system must prevent the use of dictionary words for passwords. ", + "desc": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", + "descriptions": { + "default": "If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.", + "check": "Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000480-GPOS-00225 ", + "gid": "V-238227 ", + "rid": "SV-238227r653856_rule ", + "stig_id": "UBTU-20-010056 ", + "fix_id": "F-41396r653855_fix ", + "cci": [ + "CCI-000366" + ], + "nist": [ + "CM-6 b" + ] + }, + "code": "control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238227.rb", + "line": 1 + }, + "id": "SV-238227" + }, + { + "title": "The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ", + "desc": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", + "descriptions": { + "default": "Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.", + "check": "Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding.", + "fix": "Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000138-GPOS-00069 ", + "gid": "V-238332 ", + "rid": "SV-238332r654171_rule ", + "stig_id": "UBTU-20-010411 ", + "fix_id": "F-41501r654170_fix ", + "cci": [ + "CCI-001090" + ], + "nist": [ + "SC-4" + ] + }, + "code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238332.rb", + "line": 1 + }, + "id": "SV-238332" + }, + { + "title": "The Ubuntu operating system must configure the /var/log directory to be owned by root. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding.", + "fix": "Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238339 ", + "rid": "SV-238339r654192_rule ", + "stig_id": "UBTU-20-010418 ", + "fix_id": "F-41508r654191_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238339.rb", + "line": 1 + }, + "id": "SV-238339" + }, + { + "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ", + "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "descriptions": { + "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000404-GPOS-00183 ", + "gid": "V-238365 ", + "rid": "SV-238365r853442_rule ", + "stig_id": "UBTU-20-010444 ", + "fix_id": "F-41534r654269_fix ", + "cci": [ + "CCI-002475" + ], + "nist": [ + "SC-28 (1)" + ] + }, + "code": "control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238365.rb", + "line": 1 + }, + "id": "SV-238365" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238256 ", + "rid": "SV-238256r653943_rule ", + "stig_id": "UBTU-20-010140 ", + "fix_id": "F-41425r653942_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238256.rb", + "line": 1 + }, + "id": "SV-238256" + }, + { + "title": "The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ", + "desc": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", + "descriptions": { + "default": "The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.", + "check": "Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding.", + "fix": "Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000027-GPOS-00008 ", + "gid": "V-238323 ", + "rid": "SV-238323r654144_rule ", + "stig_id": "UBTU-20-010400 ", + "fix_id": "F-41492r654143_fix ", + "cci": [ + "CCI-000054" + ], + "nist": [ + "AC-10" + ] + }, + "code": "control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238323.rb", + "line": 1 + }, + "id": "SV-238323" + }, + { + "title": "The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ", + "desc": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", + "descriptions": { + "default": "In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.", + "check": "Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding.", + "fix": "Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000096-GPOS-00050 ", + "gid": "V-238328 ", + "rid": "SV-238328r654159_rule ", + "stig_id": "UBTU-20-010407 ", + "fix_id": "F-41497r654158_fix ", + "cci": [ + "CCI-000382" + ], + "nist": [ + "CM-7 b" + ] + }, + "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238328.rb", + "line": 1 + }, + "id": "SV-238328" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238278 ", + "rid": "SV-238278r654009_rule ", + "stig_id": "UBTU-20-010162 ", + "fix_id": "F-41447r654008_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238278.rb", + "line": 1 + }, + "id": "SV-238278" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above.", + "fix": "Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238252 ", + "rid": "SV-238252r653931_rule ", + "stig_id": "UBTU-20-010136 ", + "fix_id": "F-41421r653930_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238252.rb", + "line": 1 + }, + "id": "SV-238252" + }, + { + "title": "The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ", + "desc": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "descriptions": { + "default": "Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.", + "check": "Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding.", + "fix": "Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000433-GPOS-00193 ", + "gid": "V-238369 ", + "rid": "SV-238369r853446_rule ", + "stig_id": "UBTU-20-010448 ", + "fix_id": "F-41538r654281_fix ", + "cci": [ + "CCI-002824" + ], + "nist": [ + "SI-16" + ] + }, + "code": "control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238369.rb", + "line": 1 + }, + "id": "SV-238369" + }, + { + "title": "The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.", + "fix": "Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000472-GPOS-00217 ", + "gid": "V-238315 ", + "rid": "SV-238315r654120_rule ", + "stig_id": "UBTU-20-010277 ", + "fix_id": "F-41484r654119_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238315.rb", + "line": 1 + }, + "id": "SV-238315" + }, + { + "title": "The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ", + "desc": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", + "descriptions": { + "default": "Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.", + "check": "Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding.", + "fix": "Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000366-GPOS-00153 ", + "gid": "V-238359 ", + "rid": "SV-238359r853434_rule ", + "stig_id": "UBTU-20-010438 ", + "fix_id": "F-41528r654251_fix ", + "cci": [ + "CCI-001749" + ], + "nist": [ + "CM-5 (3)" + ] + }, + "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238359.rb", + "line": 1 + }, + "id": "SV-238359" + }, + { + "title": "The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ", + "desc": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", + "descriptions": { + "default": "Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", + "check": "Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding.", + "fix": "Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000363-GPOS-00150 ", + "gid": "V-238358 ", + "rid": "SV-238358r853433_rule ", + "stig_id": "UBTU-20-010437 ", + "fix_id": "F-41527r654248_fix ", + "cci": [ + "CCI-001744" + ], + "nist": [ + "CM-3 (5)" + ] + }, + "code": "control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238358.rb", + "line": 1 + }, + "id": "SV-238358" + }, + { + "title": "The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ", + "desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "descriptions": { + "default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.", + "check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding.", + "fix": "Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000206-GPOS-00084 ", + "gid": "V-238343 ", + "rid": "SV-238343r654204_rule ", + "stig_id": "UBTU-20-010422 ", + "fix_id": "F-41512r654203_fix ", + "cci": [ + "CCI-001314" + ], + "nist": [ + "SI-11 b" + ] + }, + "code": "control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238343.rb", + "line": 1 + }, + "id": "SV-238343" + }, + { + "title": "The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "descriptions": { + "default": "Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.", + "check": "Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding.", + "fix": "Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000069-GPOS-00037 ", + "gid": "V-238221 ", + "rid": "SV-238221r653838_rule ", + "stig_id": "UBTU-20-010050 ", + "fix_id": "F-41390r653837_fix ", + "cci": [ + "CCI-000192" + ], + "nist": [ + "IA-5 (1) (a)" + ] + }, + "code": "control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238221.rb", + "line": 1 + }, + "id": "SV-238221" + }, + { + "title": "The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ", + "desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "descriptions": { + "default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.", + "check": "Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding.", + "fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000256-GPOS-00097 ", + "satisfies": [ + "SRG-OS-000256-GPOS-00097", + "SRG-OS-000257-GPOS-00098" + ], + "gid": "V-238300 ", + "rid": "SV-238300r654075_rule ", + "stig_id": "UBTU-20-010199 ", + "fix_id": "F-41469r654074_fix ", + "cci": [ + "CCI-001493", + "CCI-001494" + ], + "nist": [ + "AU-9 a", + "AU-9" + ] + }, + "code": "control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238300.rb", + "line": 1 + }, + "id": "SV-238300" + }, + { + "title": "Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ", + "desc": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "descriptions": { + "default": "Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).", + "check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.", + "fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed." + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000405-GPOS-00184 ", + "gid": "V-238366 ", + "rid": "SV-238366r853443_rule ", + "stig_id": "UBTU-20-010445 ", + "fix_id": "F-41535r654272_fix ", + "cci": [ + "CCI-002476" + ], + "nist": [ + "SC-28 (1)" + ] + }, + "code": "control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238366.rb", + "line": 1 + }, + "id": "SV-238366" + }, + { + "title": "The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ", + "desc": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", + "descriptions": { + "default": "Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.", + "check": "Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding.", + "fix": "Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed" + }, + "impact": 0.3, + "refs": [], + "tags": { + "severity": "low ", + "gtitle": "SRG-OS-000480-GPOS-00227 ", + "gid": "V-238373 ", + "rid": "SV-238373r858539_rule ", + "stig_id": "UBTU-20-010453 ", + "fix_id": "F-41542r654293_fix ", + "cci": [ + "CCI-000052" + ], + "nist": [ + "AC-9" + ] + }, + "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238373.rb", + "line": 1 + }, + "id": "SV-238373" + }, + { + "title": "The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ", + "desc": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", + "descriptions": { + "default": "If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.", + "check": "Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding.", + "fix": "Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000059-GPOS-00029 ", + "gid": "V-238248 ", + "rid": "SV-238248r653919_rule ", + "stig_id": "UBTU-20-010128 ", + "fix_id": "F-41417r653918_fix ", + "cci": [ + "CCI-000164" + ], + "nist": [ + "AU-9 a" + ] + }, + "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238248.rb", + "line": 1 + }, + "id": "SV-238248" + }, + { + "title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ", + "desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "descriptions": { + "default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).", + "check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.", + "fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load" + }, + "impact": 0.5, + "refs": [], + "tags": { + "severity": "medium ", + "gtitle": "SRG-OS-000064-GPOS-00033 ", + "gid": "V-238293 ", + "rid": "SV-238293r654054_rule ", + "stig_id": "UBTU-20-010177 ", + "fix_id": "F-41462r654053_fix ", + "cci": [ + "CCI-000172" + ], + "nist": [ + "AU-12 c" + ] + }, + "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "source_location": { + "ref": "./controls/SV-238293.rb", + "line": 1 + }, + "id": "SV-238293" + } + ], + "groups": [ + { + "title": null, + "controls": [ + "SV-238355" + ], + "id": "controls/SV-238355.rb" + }, + { + "title": null, + "controls": [ + "SV-238231" + ], + "id": "controls/SV-238231.rb" + }, + { + "title": null, + "controls": [ + "SV-238327" + ], + "id": "controls/SV-238327.rb" + }, + { + "title": null, + "controls": [ + "SV-238281" + ], + "id": "controls/SV-238281.rb" + }, + { + "title": null, + "controls": [ + "SV-238347" + ], + "id": "controls/SV-238347.rb" + }, + { + "title": null, + "controls": [ + "SV-238217" + ], + "id": "controls/SV-238217.rb" + }, + { + "title": null, + "controls": [ + "SV-238216" + ], + "id": "controls/SV-238216.rb" + }, + { + "title": null, + "controls": [ + "SV-238329" + ], + "id": "controls/SV-238329.rb" + }, + { + "title": null, + "controls": [ + "SV-238379" + ], + "id": "controls/SV-238379.rb" + }, + { + "title": null, + "controls": [ + "SV-238223" + ], + "id": "controls/SV-238223.rb" + }, + { + "title": null, + "controls": [ + "SV-238234" + ], + "id": "controls/SV-238234.rb" + }, + { + "title": null, + "controls": [ + "SV-238253" + ], + "id": "controls/SV-238253.rb" + }, + { + "title": null, + "controls": [ + "SV-238233" + ], + "id": "controls/SV-238233.rb" + }, + { + "title": null, + "controls": [ + "SV-238199" + ], + "id": "controls/SV-238199.rb" + }, + { + "title": null, + "controls": [ + "SV-238247" + ], + "id": "controls/SV-238247.rb" + }, + { + "title": null, + "controls": [ + "SV-238350" + ], + "id": "controls/SV-238350.rb" + }, + { + "title": null, + "controls": [ + "SV-238206" + ], + "id": "controls/SV-238206.rb" + }, + { + "title": null, + "controls": [ + "SV-238305" + ], + "id": "controls/SV-238305.rb" + }, + { + "title": null, + "controls": [ + "SV-252704" + ], + "id": "controls/SV-252704.rb" + }, + { + "title": null, + "controls": [ + "SV-238196" + ], + "id": "controls/SV-238196.rb" + }, + { + "title": null, + "controls": [ + "SV-238344" + ], + "id": "controls/SV-238344.rb" + }, + { + "title": null, + "controls": [ + "SV-238348" + ], + "id": "controls/SV-238348.rb" + }, + { + "title": null, + "controls": [ + "SV-238338" + ], + "id": "controls/SV-238338.rb" + }, + { + "title": null, + "controls": [ + "SV-238285" + ], + "id": "controls/SV-238285.rb" + }, + { + "title": null, + "controls": [ + "SV-238372" + ], + "id": "controls/SV-238372.rb" + }, + { + "title": null, + "controls": [ + "SV-238371" + ], + "id": "controls/SV-238371.rb" + }, + { + "title": null, + "controls": [ + "SV-238282" + ], + "id": "controls/SV-238282.rb" + }, + { + "title": null, + "controls": [ + "SV-238377" + ], + "id": "controls/SV-238377.rb" + }, + { + "title": null, + "controls": [ + "SV-238354" + ], + "id": "controls/SV-238354.rb" + }, + { + "title": null, + "controls": [ + "SV-238237" + ], + "id": "controls/SV-238237.rb" + }, + { + "title": null, + "controls": [ + "SV-238213" + ], + "id": "controls/SV-238213.rb" + }, + { + "title": null, + "controls": [ + "SV-238298" + ], + "id": "controls/SV-238298.rb" + }, + { + "title": null, + "controls": [ + "SV-238205" + ], + "id": "controls/SV-238205.rb" + }, + { + "title": null, + "controls": [ + "SV-238303" + ], + "id": "controls/SV-238303.rb" + }, + { + "title": null, + "controls": [ + "SV-238244" + ], + "id": "controls/SV-238244.rb" + }, + { + "title": null, + "controls": [ + "SV-238250" + ], + "id": "controls/SV-238250.rb" + }, + { + "title": null, + "controls": [ + "SV-238289" + ], + "id": "controls/SV-238289.rb" + }, + { + "title": null, + "controls": [ + "SV-238292" + ], + "id": "controls/SV-238292.rb" + }, + { + "title": null, + "controls": [ + "SV-238336" + ], + "id": "controls/SV-238336.rb" + }, + { + "title": null, + "controls": [ + "SV-238333" + ], + "id": "controls/SV-238333.rb" + }, + { + "title": null, + "controls": [ + "SV-238320" + ], + "id": "controls/SV-238320.rb" + }, + { + "title": null, + "controls": [ + "SV-238279" + ], + "id": "controls/SV-238279.rb" + }, + { + "title": null, + "controls": [ + "SV-238241" + ], + "id": "controls/SV-238241.rb" + }, + { + "title": null, + "controls": [ + "SV-238271" + ], + "id": "controls/SV-238271.rb" + }, + { + "title": null, + "controls": [ + "SV-238212" + ], + "id": "controls/SV-238212.rb" + }, + { + "title": null, + "controls": [ + "SV-238326" + ], + "id": "controls/SV-238326.rb" + }, + { + "title": null, + "controls": [ + "SV-238198" + ], + "id": "controls/SV-238198.rb" + }, + { + "title": null, + "controls": [ + "SV-238321" + ], + "id": "controls/SV-238321.rb" + }, + { + "title": null, + "controls": [ + "SV-238353" + ], + "id": "controls/SV-238353.rb" + }, + { + "title": null, + "controls": [ + "SV-238351" + ], + "id": "controls/SV-238351.rb" + }, + { + "title": null, + "controls": [ + "SV-238283" + ], + "id": "controls/SV-238283.rb" + }, + { + "title": null, + "controls": [ + "SV-238230" + ], + "id": "controls/SV-238230.rb" + }, + { + "title": null, + "controls": [ + "SV-238239" + ], + "id": "controls/SV-238239.rb" + }, + { + "title": null, + "controls": [ + "SV-238325" + ], + "id": "controls/SV-238325.rb" + }, + { + "title": null, + "controls": [ + "SV-238374" + ], + "id": "controls/SV-238374.rb" + }, + { + "title": null, + "controls": [ + "SV-238356" + ], + "id": "controls/SV-238356.rb" + }, + { + "title": null, + "controls": [ + "SV-238341" + ], + "id": "controls/SV-238341.rb" + }, + { + "title": null, + "controls": [ + "SV-238317" + ], + "id": "controls/SV-238317.rb" + }, + { + "title": null, + "controls": [ + "SV-238225" + ], + "id": "controls/SV-238225.rb" + }, + { + "title": null, + "controls": [ + "SV-238222" + ], + "id": "controls/SV-238222.rb" + }, + { + "title": null, + "controls": [ + "SV-251503" + ], + "id": "controls/SV-251503.rb" + }, + { + "title": null, + "controls": [ + "SV-238197" + ], + "id": "controls/SV-238197.rb" + }, + { + "title": null, + "controls": [ + "SV-238277" + ], + "id": "controls/SV-238277.rb" + }, + { + "title": null, + "controls": [ + "SV-238318" + ], + "id": "controls/SV-238318.rb" + }, + { + "title": null, + "controls": [ + "SV-238349" + ], + "id": "controls/SV-238349.rb" + }, + { + "title": null, + "controls": [ + "SV-238220" + ], + "id": "controls/SV-238220.rb" + }, + { + "title": null, + "controls": [ + "SV-238364" + ], + "id": "controls/SV-238364.rb" + }, + { + "title": null, + "controls": [ + "SV-238378" + ], + "id": "controls/SV-238378.rb" + }, + { + "title": null, + "controls": [ + "SV-238246" + ], + "id": "controls/SV-238246.rb" + }, + { + "title": null, + "controls": [ + "SV-238218" + ], + "id": "controls/SV-238218.rb" + }, + { + "title": null, + "controls": [ + "SV-238236" + ], + "id": "controls/SV-238236.rb" + }, + { + "title": null, + "controls": [ + "SV-238268" + ], + "id": "controls/SV-238268.rb" + }, + { + "title": null, + "controls": [ + "SV-238245" + ], + "id": "controls/SV-238245.rb" + }, + { + "title": null, + "controls": [ + "SV-238228" + ], + "id": "controls/SV-238228.rb" + }, + { + "title": null, + "controls": [ + "SV-238215" + ], + "id": "controls/SV-238215.rb" + }, + { + "title": null, + "controls": [ + "SV-238287" + ], + "id": "controls/SV-238287.rb" + }, + { + "title": null, + "controls": [ + "SV-238357" + ], + "id": "controls/SV-238357.rb" + }, + { + "title": null, + "controls": [ + "SV-238291" + ], + "id": "controls/SV-238291.rb" + }, + { + "title": null, + "controls": [ + "SV-238209" + ], + "id": "controls/SV-238209.rb" + }, + { + "title": null, + "controls": [ + "SV-238255" + ], + "id": "controls/SV-238255.rb" + }, + { + "title": null, + "controls": [ + "SV-238207" + ], + "id": "controls/SV-238207.rb" + }, + { + "title": null, + "controls": [ + "SV-238331" + ], + "id": "controls/SV-238331.rb" + }, + { + "title": null, + "controls": [ + "SV-238340" + ], + "id": "controls/SV-238340.rb" + }, + { + "title": null, + "controls": [ + "SV-238302" + ], + "id": "controls/SV-238302.rb" + }, + { + "title": null, + "controls": [ + "SV-238319" + ], + "id": "controls/SV-238319.rb" + }, + { + "title": null, + "controls": [ + "SV-238201" + ], + "id": "controls/SV-238201.rb" + }, + { + "title": null, + "controls": [ + "SV-238238" + ], + "id": "controls/SV-238238.rb" + }, + { + "title": null, + "controls": [ + "SV-238335" + ], + "id": "controls/SV-238335.rb" + }, + { + "title": null, + "controls": [ + "SV-238363" + ], + "id": "controls/SV-238363.rb" + }, + { + "title": null, + "controls": [ + "SV-238224" + ], + "id": "controls/SV-238224.rb" + }, + { + "title": null, + "controls": [ + "SV-238226" + ], + "id": "controls/SV-238226.rb" + }, + { + "title": null, + "controls": [ + "SV-238214" + ], + "id": "controls/SV-238214.rb" + }, + { + "title": null, + "controls": [ + "SV-238249" + ], + "id": "controls/SV-238249.rb" + }, + { + "title": null, + "controls": [ + "SV-238240" + ], + "id": "controls/SV-238240.rb" + }, + { + "title": null, + "controls": [ + "SV-238242" + ], + "id": "controls/SV-238242.rb" + }, + { + "title": null, + "controls": [ + "SV-238294" + ], + "id": "controls/SV-238294.rb" + }, + { + "title": null, + "controls": [ + "SV-238304" + ], + "id": "controls/SV-238304.rb" + }, + { + "title": null, + "controls": [ + "SV-238361" + ], + "id": "controls/SV-238361.rb" + }, + { + "title": null, + "controls": [ + "SV-238370" + ], + "id": "controls/SV-238370.rb" + }, + { + "title": null, + "controls": [ + "SV-238264" + ], + "id": "controls/SV-238264.rb" + }, + { + "title": null, + "controls": [ + "SV-238208" + ], + "id": "controls/SV-238208.rb" + }, + { + "title": null, + "controls": [ + "SV-238306" + ], + "id": "controls/SV-238306.rb" + }, + { + "title": null, + "controls": [ + "SV-238362" + ], + "id": "controls/SV-238362.rb" + }, + { + "title": null, + "controls": [ + "SV-238243" + ], + "id": "controls/SV-238243.rb" + }, + { + "title": null, + "controls": [ + "SV-238251" + ], + "id": "controls/SV-238251.rb" + }, + { + "title": null, + "controls": [ + "SV-238232" + ], + "id": "controls/SV-238232.rb" + }, + { + "title": null, + "controls": [ + "SV-238297" + ], + "id": "controls/SV-238297.rb" + }, + { + "title": null, + "controls": [ + "SV-238295" + ], + "id": "controls/SV-238295.rb" + }, + { + "title": null, + "controls": [ + "SV-238368" + ], + "id": "controls/SV-238368.rb" + }, + { + "title": null, + "controls": [ + "SV-238367" + ], + "id": "controls/SV-238367.rb" + }, + { + "title": null, + "controls": [ + "SV-238211" + ], + "id": "controls/SV-238211.rb" + }, + { + "title": null, + "controls": [ + "SV-238229" + ], + "id": "controls/SV-238229.rb" + }, + { + "title": null, + "controls": [ + "SV-238301" + ], + "id": "controls/SV-238301.rb" + }, + { + "title": null, + "controls": [ + "SV-238258" + ], + "id": "controls/SV-238258.rb" + }, + { + "title": null, + "controls": [ + "SV-238284" + ], + "id": "controls/SV-238284.rb" + }, + { + "title": null, + "controls": [ + "SV-238337" + ], + "id": "controls/SV-238337.rb" + }, + { + "title": null, + "controls": [ + "SV-238288" + ], + "id": "controls/SV-238288.rb" + }, + { + "title": null, + "controls": [ + "SV-238203" + ], + "id": "controls/SV-238203.rb" + }, + { + "title": null, + "controls": [ + "SV-238309" + ], + "id": "controls/SV-238309.rb" + }, + { + "title": null, + "controls": [ + "SV-238307" + ], + "id": "controls/SV-238307.rb" + }, + { + "title": null, + "controls": [ + "SV-238330" + ], + "id": "controls/SV-238330.rb" + }, + { + "title": null, + "controls": [ + "SV-238380" + ], + "id": "controls/SV-238380.rb" + }, + { + "title": null, + "controls": [ + "SV-238360" + ], + "id": "controls/SV-238360.rb" + }, + { + "title": null, + "controls": [ + "SV-238235" + ], + "id": "controls/SV-238235.rb" + }, + { + "title": null, + "controls": [ + "SV-251505" + ], + "id": "controls/SV-251505.rb" + }, + { + "title": null, + "controls": [ + "SV-238299" + ], + "id": "controls/SV-238299.rb" + }, + { + "title": null, + "controls": [ + "SV-238334" + ], + "id": "controls/SV-238334.rb" + }, + { + "title": null, + "controls": [ + "SV-238254" + ], + "id": "controls/SV-238254.rb" + }, + { + "title": null, + "controls": [ + "SV-251504" + ], + "id": "controls/SV-251504.rb" + }, + { + "title": null, + "controls": [ + "SV-238202" + ], + "id": "controls/SV-238202.rb" + }, + { + "title": null, + "controls": [ + "SV-238352" + ], + "id": "controls/SV-238352.rb" + }, + { + "title": null, + "controls": [ + "SV-238286" + ], + "id": "controls/SV-238286.rb" + }, + { + "title": null, + "controls": [ + "SV-238210" + ], + "id": "controls/SV-238210.rb" + }, + { + "title": null, + "controls": [ + "SV-238342" + ], + "id": "controls/SV-238342.rb" + }, + { + "title": null, + "controls": [ + "SV-238280" + ], + "id": "controls/SV-238280.rb" + }, + { + "title": null, + "controls": [ + "SV-238310" + ], + "id": "controls/SV-238310.rb" + }, + { + "title": null, + "controls": [ + "SV-238204" + ], + "id": "controls/SV-238204.rb" + }, + { + "title": null, + "controls": [ + "SV-238219" + ], + "id": "controls/SV-238219.rb" + }, + { + "title": null, + "controls": [ + "SV-238257" + ], + "id": "controls/SV-238257.rb" + }, + { + "title": null, + "controls": [ + "SV-238345" + ], + "id": "controls/SV-238345.rb" + }, + { + "title": null, + "controls": [ + "SV-238376" + ], + "id": "controls/SV-238376.rb" + }, + { + "title": null, + "controls": [ + "SV-238324" + ], + "id": "controls/SV-238324.rb" + }, + { + "title": null, + "controls": [ + "SV-238308" + ], + "id": "controls/SV-238308.rb" + }, + { + "title": null, + "controls": [ + "SV-238290" + ], + "id": "controls/SV-238290.rb" + }, + { + "title": null, + "controls": [ + "SV-238316" + ], + "id": "controls/SV-238316.rb" + }, + { + "title": null, + "controls": [ + "SV-238346" + ], + "id": "controls/SV-238346.rb" + }, + { + "title": null, + "controls": [ + "SV-238200" + ], + "id": "controls/SV-238200.rb" + }, + { + "title": null, + "controls": [ + "SV-238227" + ], + "id": "controls/SV-238227.rb" + }, + { + "title": null, + "controls": [ + "SV-238332" + ], + "id": "controls/SV-238332.rb" + }, + { + "title": null, + "controls": [ + "SV-238339" + ], + "id": "controls/SV-238339.rb" + }, + { + "title": null, + "controls": [ + "SV-238365" + ], + "id": "controls/SV-238365.rb" + }, + { + "title": null, + "controls": [ + "SV-238256" + ], + "id": "controls/SV-238256.rb" + }, + { + "title": null, + "controls": [ + "SV-238323" + ], + "id": "controls/SV-238323.rb" + }, + { + "title": null, + "controls": [ + "SV-238328" + ], + "id": "controls/SV-238328.rb" + }, + { + "title": null, + "controls": [ + "SV-238278" + ], + "id": "controls/SV-238278.rb" + }, + { + "title": null, + "controls": [ + "SV-238252" + ], + "id": "controls/SV-238252.rb" + }, + { + "title": null, + "controls": [ + "SV-238369" + ], + "id": "controls/SV-238369.rb" + }, + { + "title": null, + "controls": [ + "SV-238315" + ], + "id": "controls/SV-238315.rb" + }, + { + "title": null, + "controls": [ + "SV-238359" + ], + "id": "controls/SV-238359.rb" + }, + { + "title": null, + "controls": [ + "SV-238358" + ], + "id": "controls/SV-238358.rb" + }, + { + "title": null, + "controls": [ + "SV-238343" + ], + "id": "controls/SV-238343.rb" + }, + { + "title": null, + "controls": [ + "SV-238221" + ], + "id": "controls/SV-238221.rb" + }, + { + "title": null, + "controls": [ + "SV-238300" + ], + "id": "controls/SV-238300.rb" + }, + { + "title": null, + "controls": [ + "SV-238366" + ], + "id": "controls/SV-238366.rb" + }, + { + "title": null, + "controls": [ + "SV-238373" + ], + "id": "controls/SV-238373.rb" + }, + { + "title": null, + "controls": [ + "SV-238248" + ], + "id": "controls/SV-238248.rb" + }, + { + "title": null, + "controls": [ + "SV-238293" + ], + "id": "controls/SV-238293.rb" + } + ], + "sha256": "3631ba284e9ea47d57f1f464fbd5391e0f86bba40c482ad14962d4cd93075f9e", + "status_message": "", + "status": "loaded", + "generator": { + "name": "inspec", + "version": "5.18.14" + } +} From 1a533976a0662b8d112ef023be8219e96751f1d6 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:19:43 -0500 Subject: [PATCH 053/100] added clause to ensure that artifact upload job ALWAYS fires after the validate job finishes Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 1 + .github/workflows/verify-ec2.yml | 1 + .github/workflows/verify-vagrant.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 7f46e12..9a48491 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -50,6 +50,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + if: ${{ always() }} needs: validate steps: - name: Save Test Result JSONs diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index c2831ac..ba997ce 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -61,6 +61,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + if: ${{ always() }} needs: validate steps: - name: Save Test Result JSONs diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 2e9b749..f75ebc0 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -50,6 +50,7 @@ jobs: artifact-upload: name: Upload artifacts runs-on: macos-12 + if: ${{ always() }} needs: validate steps: - name: Save Test Result JSONs From a447190a26048e633b24413880f32e2cd36390c5 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:28:55 -0500 Subject: [PATCH 054/100] linting fixes and captured some inputs as local vars to make them usable for boolean checks without annoying inspec check Signed-off-by: Will Dower --- controls/SV-238201.rb | 4 ++-- controls/SV-238210.rb | 4 ++-- controls/SV-238211.rb | 4 ++-- controls/SV-238216.rb | 4 +++- controls/SV-238217.rb | 12 +++++++----- controls/SV-238228.rb | 4 ++-- controls/SV-238229.rb | 4 ++-- controls/SV-238230.rb | 4 ++-- controls/SV-238232.rb | 4 ++-- controls/SV-238233.rb | 4 ++-- controls/SV-238234.rb | 4 ++-- controls/SV-238235.rb | 4 ++-- controls/SV-238237.rb | 4 ++-- controls/SV-238238.rb | 6 +++--- controls/SV-238239.rb | 6 +++--- controls/SV-238240.rb | 4 ++-- controls/SV-238241.rb | 4 ++-- controls/SV-238242.rb | 4 ++-- controls/SV-238243.rb | 4 ++-- controls/SV-238244.rb | 4 ++-- controls/SV-238245.rb | 4 ++-- controls/SV-238246.rb | 4 ++-- controls/SV-238247.rb | 4 ++-- controls/SV-238248.rb | 4 ++-- controls/SV-238249.rb | 4 ++-- controls/SV-238250.rb | 4 ++-- controls/SV-238251.rb | 4 ++-- controls/SV-238252.rb | 4 ++-- controls/SV-238253.rb | 4 ++-- controls/SV-238254.rb | 4 ++-- controls/SV-238255.rb | 4 ++-- controls/SV-238256.rb | 4 ++-- controls/SV-238257.rb | 4 ++-- controls/SV-238258.rb | 4 ++-- controls/SV-238264.rb | 4 ++-- controls/SV-238268.rb | 4 ++-- controls/SV-238271.rb | 4 ++-- controls/SV-238277.rb | 4 ++-- controls/SV-238278.rb | 4 ++-- controls/SV-238279.rb | 4 ++-- controls/SV-238280.rb | 4 ++-- controls/SV-238281.rb | 4 ++-- controls/SV-238282.rb | 4 ++-- controls/SV-238283.rb | 4 ++-- controls/SV-238284.rb | 4 ++-- controls/SV-238285.rb | 4 ++-- controls/SV-238286.rb | 4 ++-- controls/SV-238287.rb | 4 ++-- controls/SV-238288.rb | 4 ++-- controls/SV-238289.rb | 4 ++-- controls/SV-238290.rb | 4 ++-- controls/SV-238291.rb | 4 ++-- controls/SV-238292.rb | 4 ++-- controls/SV-238293.rb | 4 ++-- controls/SV-238294.rb | 4 ++-- controls/SV-238295.rb | 4 ++-- controls/SV-238297.rb | 4 ++-- controls/SV-238298.rb | 4 ++-- controls/SV-238300.rb | 4 ++-- controls/SV-238301.rb | 4 ++-- controls/SV-238302.rb | 4 ++-- controls/SV-238303.rb | 4 ++-- controls/SV-238304.rb | 4 ++-- controls/SV-238305.rb | 4 ++-- controls/SV-238306.rb | 4 ++-- controls/SV-238307.rb | 4 ++-- controls/SV-238309.rb | 4 ++-- controls/SV-238310.rb | 4 ++-- controls/SV-238315.rb | 4 ++-- controls/SV-238316.rb | 4 ++-- controls/SV-238317.rb | 4 ++-- controls/SV-238318.rb | 4 ++-- controls/SV-238319.rb | 4 ++-- controls/SV-238320.rb | 4 ++-- controls/SV-238325.rb | 12 +++++++----- controls/SV-238362.rb | 4 ++-- controls/SV-238363.rb | 4 +++- controls/SV-238373.rb | 4 ++-- controls/SV-251504.rb | 4 ++-- controls/SV-251505.rb | 4 ++-- 80 files changed, 174 insertions(+), 166 deletions(-) diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index 17faae7..3f2a6a8 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -32,8 +32,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index c15df89..0fff82e 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -71,8 +71,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe package('libpam-pkcs11') do diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 9b541fc..5d17588 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -43,8 +43,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe sshd_config do diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index f0a54f2..85b4878 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -62,7 +62,9 @@ tag cci: %w(CCI-001453 CCI-002421 CCI-002890) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - if input('disable_fips')? + disable_fips = input('disable_fips') + + if disable_fips? impact 0.0 describe "Control not applicable" do skip "Control not applicable" diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index e709266..a3442f9 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -68,14 +68,16 @@ tag cci: %w(CCI-000068 CCI-002421 CCI-003123) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - if input('disable_fips')? + disable_fips = input('disable_fips') + + if disable_fips? impact 0.0 - describe "Control not applicable" do - skip "Control not applicable" + describe 'Control not applicable' do + skip 'Control not applicable' end elsif virtualization.system.eql?('docker') - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end else @ciphers_array = inspec.sshd_config.params['ciphers'] diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index eb5378c..796ec6a 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -77,8 +77,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe package('libpam-pwquality') do diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index 2f783d2..5eca649 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -67,8 +67,8 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index 07cc779..45ba034 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -53,8 +53,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe package('libpam-pkcs11') do diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index c241103..c8bbe1b 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -39,8 +39,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 5ef61a0..fc0f1ad 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -42,8 +42,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index 667f6cc..d2376bc 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -39,8 +39,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe file('/etc/pam.d/common-password') do diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index c06b39a..c16a5ea 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -73,8 +73,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe file('/etc/pam.d/common-auth') do diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index ad5b29d..a984c61 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -33,8 +33,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe file('/etc/pam.d/common-auth') do diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index 64818f1..451ff09 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -54,10 +54,10 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end - else + else @audit_file = '/etc/passwd' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index a2435ff..612346b 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -54,10 +54,10 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end - else + else @audit_file = '/etc/group' audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil? if audit_lines_exist diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index ca6a745..f6ac3f6 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/etc/shadow' diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index d9f2803..4bae091 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/etc/gshadow' diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index 5aaa8ea..38ac48d 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/etc/security/opasswd' diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index 3744b19..b98bf33 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else action_mail_acct = auditd_conf.action_mail_acct diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index 2bb0d4a..19d73f6 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -57,8 +57,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe auditd_conf do diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 6e880e8..64af0cb 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -55,8 +55,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 51e1ca5..9ff46d6 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 6771489..00c64c7 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -58,8 +58,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index 75d14b8..dc1e233 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -60,8 +60,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index fec86f7..a746223 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index acba538..9883148 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -64,8 +64,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 1d8f284..969232d 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -54,8 +54,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else files1 = command('find /etc/audit/ -type f \( -iname \*.rules -o -iname \*.conf \)').stdout.strip.split("\n").entries diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index da8f462..493d240 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/bin/su' diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 560de86..33e7552 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/chfn' diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 6784e07..72b67f3 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/mount' diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index 3223301..0b0055a 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/umount' diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index 60b62f4..a64333e 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/ssh-agent' diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index 57eacdb..dbbacbf 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -51,8 +51,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/lib/openssh/ssh-keysign' diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index 5941011..b3e6cee 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -86,8 +86,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index 1279a6b..cfd4e98 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -71,8 +71,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index f81177f..23368a2 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -70,8 +70,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index 9307789..c0331c0 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -87,8 +87,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index 1adc42f..6599043 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -49,8 +49,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/sudo' diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 417f5d5..01ac7d7 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/sudoedit' diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index 0136958..d68940f 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/chsh' diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index aa8600a..5ba159b 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/newgrp' diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index 2294afb..bfe8d62 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/chcon' diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 173fba3..1d8e3ac 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/sbin/apparmor_parser' diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index debe151..dcd5d7e 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/setfacl' diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 68e7291..1836a81 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/chacl' diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index 155fa64..0014c24 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -51,8 +51,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/tallylog' diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 9d21206..5866336 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -51,8 +51,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/faillog' diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index aa85aa2..56b4a91 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -51,8 +51,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/lastlog' diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 82b30ab..0e28457 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/passwd' diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index c22c8ed..84f46e6 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/sbin/unix_update' diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index fb385af..4c63696 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/gpasswd' diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 7db18bb..4534922 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/chage' diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index 70ddc7e..2f0e3ae 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/sbin/usermod' diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index 84c8860..e513179 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -50,8 +50,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/bin/crontab' diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 24fada9..999a3f5 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -52,8 +52,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/usr/sbin/pam_timestamp_check' diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index 42ca8b3..df01799 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -71,8 +71,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 891d079..9e7f432 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -63,8 +63,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 54ac7f2..46a76c3 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -85,8 +85,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe package('auditd') do diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index c73601e..96d8386 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -55,8 +55,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else audit_tools = input('audit_tools') diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index 28877d6..dc1d65f 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -55,8 +55,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else audit_tools = input('audit_tools') diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index b2bc16e..cc1c576 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -56,8 +56,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else audit_tools = input('audit_tools') diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index 7dd085b..a725db7 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -71,8 +71,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else aide_conf = aide_conf input('aide_conf_path') diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 0e263ed..08a577e 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -72,8 +72,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index f4f826b..5dbc9a2 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -74,8 +74,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index 4265848..a050971 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -81,8 +81,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file = input('audispremote_config_file') diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 2ad8b1b..3338bd6 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -72,8 +72,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else log_file = auditd_conf.log_file diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index 3e14fd9..6aab4ef 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -64,8 +64,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/sudo.log' diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 30595f5..5511378 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -69,8 +69,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else if os.arch == 'x86_64' diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index 87ae2d3..a0f055a 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -47,8 +47,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/wtmp' diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index 20fbe0a..fac5c0d 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -47,8 +47,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/run/wtmp' diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index 544325c..eb4daa4 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -47,8 +47,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/var/log/btmp' diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index 11f2b41..d5d05e3 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -45,8 +45,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/sbin/modprobe' diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index f27dd6a..db22086 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -48,8 +48,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/bin/kmod' diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index e9fde79..9bd58d5 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -48,8 +48,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else @audit_file = '/sbin/fdisk' diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index ca9ada7..44422c6 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -34,14 +34,16 @@ tag cci: ['CCI-000803'] tag nist: ['IA-7'] - if input('disable_fips')? + disable_fips = input('disable_fips') + + if disable_fips? impact 0.0 - describe "Control not applicable" do - skip "Control not applicable" + describe 'Control not applicable' do + skip 'Control not applicable' end elsif virtualization.system.eql?('docker') - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end else describe login_defs do diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 2627e52..697f169 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -38,8 +38,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else config_file = input('sssd_conf_path') diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index ac2e860..c55e93e 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -38,7 +38,9 @@ tag cci: ['CCI-002450'] tag nist: ['SC-13 b'] - if input('disable_fips')? + disable_fips = input('disable_fips') + + if disable_fips? impact 0.0 describe "Control not applicable" do skip "Control not applicable" diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 1830579..82cb0ff 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -41,8 +41,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe command('grep pam_lastlog /etc/pam.d/login') do diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index dea7a80..55b243a 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -30,8 +30,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe command('grep nullok /etc/pam.d/common-password') do diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index b1f671f..95c9539 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -52,8 +52,8 @@ if virtualization.system.eql?('docker') impact 0.0 - describe "Control not applicable to a container" do - skip "Control not applicable to a container" + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end else describe command('grep usb-storage /etc/modprobe.d/* | grep "/bin/true"') do From 0aa32dbb685194720b1fd99a1a1bac60a475ded4 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:36:41 -0500 Subject: [PATCH 055/100] adding debug statement to start of workflow for containers Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 9a48491..bffe98f 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -19,6 +19,8 @@ jobs: suite: ['vanilla','hardened'] fail-fast: false steps: + - name: debug + run: pwd && ls -lah - name: add needed packages run: sudo apt-get install -y jq - name: Checkout InSpec profile repository From e4c21e71dd161116d6a76d435992e83e306ec456 Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 6 Dec 2022 21:37:48 +0000 Subject: [PATCH 056/100] Updating profile.json in the repository --- profile.json | 169 +++++++++++++++++++++++++++------------------------ 1 file changed, 88 insertions(+), 81 deletions(-) diff --git a/profile.json b/profile.json index 593e0bc..48cafc5 100644 --- a/profile.json +++ b/profile.json @@ -187,6 +187,13 @@ "type": "String", "value": "/etc/gdm3/greeter.dconf-defaults" } + }, + { + "name": "disable_fips", + "options": { + "type": "Boolean", + "value": false + } } ], "controls": [ @@ -307,7 +314,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238281.rb", "line": 1 @@ -378,7 +385,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\nend\n", + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238217.rb", "line": 1 @@ -418,7 +425,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\nend\n", + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238216.rb", "line": 1 @@ -548,7 +555,7 @@ "IA-5 (1) (e)" ] }, - "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\nend\n", + "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238234.rb", "line": 1 @@ -579,7 +586,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238253.rb", "line": 1 @@ -610,7 +617,7 @@ "IA-5 (2) (d)" ] }, - "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238233.rb", "line": 1 @@ -683,7 +690,7 @@ "AU-9 a" ] }, - "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238247.rb", "line": 1 @@ -776,7 +783,7 @@ "AU-4" ] }, - "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238305.rb", "line": 1 @@ -967,7 +974,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238285.rb", "line": 1 @@ -1060,7 +1067,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238282.rb", "line": 1 @@ -1153,7 +1160,7 @@ "CM-6 b" ] }, - "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\nend\n", + "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238237.rb", "line": 1 @@ -1267,7 +1274,7 @@ "AU-12 (3)" ] }, - "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238298.rb", "line": 1 @@ -1335,7 +1342,7 @@ "AU-9 (3)" ] }, - "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238303.rb", "line": 1 @@ -1366,7 +1373,7 @@ "AU-5 b" ] }, - "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\nend\n", + "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238244.rb", "line": 1 @@ -1397,7 +1404,7 @@ "AU-12 b" ] }, - "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238250.rb", "line": 1 @@ -1428,7 +1435,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238289.rb", "line": 1 @@ -1459,7 +1466,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238292.rb", "line": 1 @@ -1552,7 +1559,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238320.rb", "line": 1 @@ -1583,7 +1590,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238279.rb", "line": 1 @@ -1628,7 +1635,7 @@ "AC-2 (4)" ] }, - "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238241.rb", "line": 1 @@ -1663,7 +1670,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\nend\n", + "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238271.rb", "line": 1 @@ -1880,7 +1887,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238283.rb", "line": 1 @@ -1911,7 +1918,7 @@ "IA-2 (11)" ] }, - "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238230.rb", "line": 1 @@ -1957,7 +1964,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238239.rb", "line": 1 @@ -1988,7 +1995,7 @@ "IA-7" ] }, - "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\nend\n", + "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238325.rb", "line": 1 @@ -2112,7 +2119,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238317.rb", "line": 1 @@ -2267,7 +2274,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238277.rb", "line": 1 @@ -2298,7 +2305,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238318.rb", "line": 1 @@ -2458,7 +2465,7 @@ "AU-9 a" ] }, - "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238246.rb", "line": 1 @@ -2555,7 +2562,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238268.rb", "line": 1 @@ -2591,7 +2598,7 @@ "AU-9 a" ] }, - "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238245.rb", "line": 1 @@ -2622,7 +2629,7 @@ "CM-6 b" ] }, - "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\nend\n", + "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238228.rb", "line": 1 @@ -2697,7 +2704,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238287.rb", "line": 1 @@ -2759,7 +2766,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238291.rb", "line": 1 @@ -2821,7 +2828,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238255.rb", "line": 1 @@ -2951,7 +2958,7 @@ "AU-9" ] }, - "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238302.rb", "line": 1 @@ -2982,7 +2989,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238319.rb", "line": 1 @@ -3013,7 +3020,7 @@ "IA-5 (2) (a) (2)" ] }, - "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238201.rb", "line": 1 @@ -3060,7 +3067,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238238.rb", "line": 1 @@ -3126,7 +3133,7 @@ "SC-13 b" ] }, - "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238363.rb", "line": 1 @@ -3262,7 +3269,7 @@ "AU-12 b" ] }, - "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\nend\n", + "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238249.rb", "line": 1 @@ -3308,7 +3315,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238240.rb", "line": 1 @@ -3354,7 +3361,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238242.rb", "line": 1 @@ -3385,7 +3392,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238294.rb", "line": 1 @@ -3422,7 +3429,7 @@ "AC-6 (9)" ] }, - "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238304.rb", "line": 1 @@ -3519,7 +3526,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n # FIX\n\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238264.rb", "line": 1 @@ -3589,7 +3596,7 @@ "AU-4 (1)" ] }, - "code": "control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238306.rb", "line": 1 @@ -3620,7 +3627,7 @@ "IA-5 (13)" ] }, - "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238362.rb", "line": 1 @@ -3651,7 +3658,7 @@ "AU-5 a" ] }, - "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\nend\n", + "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238243.rb", "line": 1 @@ -3682,7 +3689,7 @@ "AU-12 b" ] }, - "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238251.rb", "line": 1 @@ -3713,7 +3720,7 @@ "IA-2 (12)" ] }, - "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238232.rb", "line": 1 @@ -3747,7 +3754,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238297.rb", "line": 1 @@ -3782,7 +3789,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238295.rb", "line": 1 @@ -3875,7 +3882,7 @@ "MA-4 c" ] }, - "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238211.rb", "line": 1 @@ -3906,7 +3913,7 @@ "IA-5 (2) (b) (1)" ] }, - "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238229.rb", "line": 1 @@ -3943,7 +3950,7 @@ "AU-9" ] }, - "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\nend\n", + "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238301.rb", "line": 1 @@ -3978,7 +3985,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238258.rb", "line": 1 @@ -4009,7 +4016,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238284.rb", "line": 1 @@ -4071,7 +4078,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238288.rb", "line": 1 @@ -4139,7 +4146,7 @@ "MA-4 (1) (a)" ] }, - "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238309.rb", "line": 1 @@ -4170,7 +4177,7 @@ "AU-5 (1)" ] }, - "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238307.rb", "line": 1 @@ -4314,7 +4321,7 @@ "AC-7 b" ] }, - "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\nend\n", + "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238235.rb", "line": 1 @@ -4345,7 +4352,7 @@ "IA-3" ] }, - "code": "control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\nend\n", + "code": "control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-251505.rb", "line": 1 @@ -4438,7 +4445,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238254.rb", "line": 1 @@ -4469,7 +4476,7 @@ "CM-6 b" ] }, - "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\nend\n", + "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-251504.rb", "line": 1 @@ -4567,7 +4574,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238286.rb", "line": 1 @@ -4610,7 +4617,7 @@ "IA-2 (4)" ] }, - "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238210.rb", "line": 1 @@ -4672,7 +4679,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238280.rb", "line": 1 @@ -4703,7 +4710,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\nend\n", + "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238310.rb", "line": 1 @@ -4796,7 +4803,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238257.rb", "line": 1 @@ -4951,7 +4958,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238290.rb", "line": 1 @@ -4982,7 +4989,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238316.rb", "line": 1 @@ -5205,7 +5212,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238256.rb", "line": 1 @@ -5298,7 +5305,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238278.rb", "line": 1 @@ -5329,7 +5336,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238252.rb", "line": 1 @@ -5391,7 +5398,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238315.rb", "line": 1 @@ -5552,7 +5559,7 @@ "AU-9" ] }, - "code": "control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\nend\n", + "code": "control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238300.rb", "line": 1 @@ -5614,7 +5621,7 @@ "AC-9" ] }, - "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\nend\n", + "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238373.rb", "line": 1 @@ -5645,7 +5652,7 @@ "AU-9 a" ] }, - "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238248.rb", "line": 1 @@ -5676,7 +5683,7 @@ "AU-12 c" ] }, - "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238293.rb", "line": 1 @@ -6855,7 +6862,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "3631ba284e9ea47d57f1f464fbd5391e0f86bba40c482ad14962d4cd93075f9e", + "sha256": "790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682", "status_message": "", "status": "loaded", "generator": { From af2b492458b3c99964da716ce9775607eefef347 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:39:07 -0500 Subject: [PATCH 057/100] more debug statements Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index bffe98f..b8e93a0 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -39,6 +39,8 @@ jobs: bundle exec inspec json . | jq . > profile.json - name: Lint the Inspec profile run: bundle exec inspec check . + - name: debug + run: pwd && ls -lah - name: Run kitchen test run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary @@ -55,6 +57,8 @@ jobs: if: ${{ always() }} needs: validate steps: + - name: debug + run: pwd && ls -lah - name: Save Test Result JSONs uses: actions/upload-artifact@v2 with: From 99ca1e7d5f28a80f7be6d9d6895ae2ba22196272 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:45:53 -0500 Subject: [PATCH 058/100] moving the artifact upload step back into the main validate action Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 9 +-------- .github/workflows/verify-ec2.yml | 7 +------ .github/workflows/verify-vagrant.yml | 7 +------ 3 files changed, 3 insertions(+), 20 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index b8e93a0..ae7f65f 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -51,15 +51,8 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - if: ${{ always() }} - needs: validate - steps: - - name: debug - run: pwd && ls -lah - name: Save Test Result JSONs + if: ${{ always() }} uses: actions/upload-artifact@v2 with: path: spec/results/ diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index ba997ce..b2692cc 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -58,13 +58,8 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - if: ${{ always() }} - needs: validate - steps: - name: Save Test Result JSONs + if: ${{ always() }} uses: actions/upload-artifact@v2 with: path: spec/results/ \ No newline at end of file diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index f75ebc0..cefc71a 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -47,13 +47,8 @@ jobs: uses: mitre/saf_action@v1 with: command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - artifact-upload: - name: Upload artifacts - runs-on: macos-12 - if: ${{ always() }} - needs: validate - steps: - name: Save Test Result JSONs + if: ${{ always() }} uses: actions/upload-artifact@v2 with: path: spec/results/ \ No newline at end of file From 6230a7ae3063ddf3ff36c06fd315aafdc30aed10 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Tue, 6 Dec 2022 16:46:36 -0500 Subject: [PATCH 059/100] removed debug statements Signed-off-by: Will Dower --- .github/workflows/verify-container.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index ae7f65f..130b55f 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -19,8 +19,6 @@ jobs: suite: ['vanilla','hardened'] fail-fast: false steps: - - name: debug - run: pwd && ls -lah - name: add needed packages run: sudo apt-get install -y jq - name: Checkout InSpec profile repository @@ -39,8 +37,6 @@ jobs: bundle exec inspec json . | jq . > profile.json - name: Lint the Inspec profile run: bundle exec inspec check . - - name: debug - run: pwd && ls -lah - name: Run kitchen test run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - name: Display our ${{ matrix.suite }} results summary From aebc8b0fdaa7bfb63f8ad286f42be1715b44d1de Mon Sep 17 00:00:00 2001 From: Will Dower Date: Wed, 7 Dec 2022 12:40:51 -0500 Subject: [PATCH 060/100] adding bash script to do container validation. could not take heat, had to leave test-kitchen Signed-off-by: Will Dower --- inspec-test-docker.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 inspec-test-docker.sh diff --git a/inspec-test-docker.sh b/inspec-test-docker.sh new file mode 100755 index 0000000..1434055 --- /dev/null +++ b/inspec-test-docker.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +VANILLA_IMAGE=public.ecr.aws/lts/ubuntu:focal +HARDENED_IMAGE=canonical/ubuntu-pro-stig-20.04:latest + +echo "BUILD: build the hardened ubuntu image" +docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development \ + --tag $HARDENED_IMAGE + +echo "CREATE: create target containers for testing" +docker run -dit --rm --name vanilla-ubuntu $VANILLA_IMAGE +docker run -dit --rm --name hardened-ubuntu $HARDENED_IMAGE\ + +docker ps -f name=-ubuntu + +echo "TEST: run InSpec against the vanilla container" +inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter json:vanilla.json progress-bar + +echo "TEST: run InSpec against the hardened container" +inspec exec . --input-file=container.inputs.yml -t docker://hardened-ubuntu --reporter json:hardened.json progress-bar + +echo "TEST: summary of vanilla results" +saf view summary -i vanilla.json + +echo "TEST: summary of hardened results" +saf view summary -i hardened.json + +echo "VALIDATE: validating vanilla results passed thresholds. . ." +saf validate:threshold -i vanilla.json -F vanilla.threshold.yml + +echo "VALIDATE: validating hardened results passed thresholds. . ." +saf validate:threshold -i hardened.json -F hardened.threshold.yml \ No newline at end of file From f14fa3f55c2eff0814f8386b405c531bba0215f7 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 14:57:26 -0500 Subject: [PATCH 061/100] quick container testing on actions Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 57 ++++++++++++++++---------- Gemfile.lock | 1 + hardened.json | 1 + inspec-test-docker.sh | 8 ++-- inspec.lock | 3 ++ vanilla.json | 1 + 6 files changed, 45 insertions(+), 26 deletions(-) create mode 100644 hardened.json create mode 100644 inspec.lock create mode 100644 vanilla.json diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 130b55f..25056c4 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -14,10 +14,12 @@ jobs: CHEF_LICENSE: accept-silent KITCHEN_LOCAL_YAML: kitchen.container.yml LC_ALL: "en_US.UTF-8" - strategy: - matrix: - suite: ['vanilla','hardened'] - fail-fast: false + VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" + HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" + # strategy: + # matrix: + # suite: ['vanilla','hardened'] + # fail-fast: false steps: - name: add needed packages run: sudo apt-get install -y jq @@ -32,23 +34,34 @@ jobs: - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - run: bundle install - - name: Regenerate current `profile.json` - run: | - bundle exec inspec json . | jq . > profile.json + # - name: Regenerate current `profile.json` + # run: | + # bundle exec inspec json . | jq . > profile.json - name: Lint the Inspec profile run: bundle exec inspec check . - - name: Run kitchen test - run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - - name: Display our ${{ matrix.suite }} results summary - uses: mitre/saf_action@v1 - with: - command_string: 'view summary -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json' - - name: Ensure the scan meets our ${{ matrix.suite }} results threshold - uses: mitre/saf_action@v1 - with: - command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - - name: Save Test Result JSONs - if: ${{ always() }} - uses: actions/upload-artifact@v2 - with: - path: spec/results/ + -name: Build the Hardened Container + run: docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development \ + --tag $HARDENED_IMAGE + - name: Start the Vanilla Container + run: docker run -itd --rm --name vanilla-ubuntu $VANILLA_IMAGE + - name: Start the Hardened Container + run: docker run -itd --rm --name hardened-ubuntu $HARDENED_IMAGE + - name: Verify both our containers are running + run: docker ps -f name=-ubuntu + - name: Test $VANILLA_IMAGE + run: inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter json:vanilla.json progress-bar + # # - name: Run kitchen test + # # run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true + # - name: Display our ${{ matrix.suite }} results summary + # uses: mitre/saf_action@v1 + # with: + # command_string: 'view summary -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json' + # - name: Ensure the scan meets our ${{ matrix.suite }} results threshold + # uses: mitre/saf_action@v1 + # with: + # command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + # - name: Save Test Result JSONs + # if: ${{ always() }} + # uses: actions/upload-artifact@v2 + # with: + # path: spec/results/ diff --git a/Gemfile.lock b/Gemfile.lock index e60c341..3ab584f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -665,6 +665,7 @@ GEM wisper (2.0.1) PLATFORMS + arm64-darwin-21 x86_64-darwin-21 x86_64-linux diff --git a/hardened.json b/hardened.json new file mode 100644 index 0000000..f70f7cd --- /dev/null +++ b/hardened.json @@ -0,0 +1 @@ +{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.005834,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.3e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":2.4e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":4.0e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.104608,"start_time":"2022-12-07T14:54:47-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.012389,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.004365,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":4.1e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.018871,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.165249,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.001279,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.003601,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.104292,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.004705,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.5e-05,"start_time":"2022-12-07T14:54:48-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.9e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.2e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238214.rb:1 ","run_time":0.000737,"start_time":"2022-12-07T14:54:49-05:00","message":"Can't find file: /etc/ssh/sshd_config","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238214.rb:1"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.063386,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.046596,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.048454,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.038749,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000626,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000642,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238216.rb:1 ","run_time":0.013508,"start_time":"2022-12-07T14:54:49-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\", :check=>\"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\\nwith the following command:\\n\\n$ grep -ir macs /etc/ssh/sshd_config*\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\\ncommented out, this is a finding.\\nIf conflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\\n140-2 approved ciphers.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nRestart the SSH daemon for the changes to take effect:\\n\\n$\\nsudo systemctl reload sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000250-GPOS-00093\", \"SRG-OS-000393-GPOS-00173\"], :gid=>\"V-238216 \", :rid=>\"SV-238216r860820_rule \", :stig_id=>\"UBTU-20-010043 \", :fix_id=>\"F-41385r653822_fix \", :cci=>[\"CCI-001453\", \"CCI-002421\", \"CCI-002890\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238216.rb\", :line=>1}, @__rule_id=\"SV-238216\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238216.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238216.rb:1"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238217.rb:1 ","run_time":0.008953,"start_time":"2022-12-07T14:54:49-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless.\\n\\nNonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\\n\\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\\nsecuring SSH connections.\", :check=>\"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\\nthe following command:\\n\\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\\n\\nCiphers\\naes256-ctr,aes192-ctr,aes128-ctr\\n\\nIf any ciphers other than \\\"aes256-ctr\\\",\\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\\nIf\\nconflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only implement\\nFIPS-approved algorithms.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\n\\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\\n\\nRestart the SSH daemon for the changes to\\ntake effect:\\n\\n$ sudo systemctl restart sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000394-GPOS-00174\"], :gid=>\"V-238217 \", :rid=>\"SV-238217r860821_rule \", :stig_id=>\"UBTU-20-010044 \", :fix_id=>\"F-41386r653825_fix \", :cci=>[\"CCI-000068\", \"CCI-002421\", \"CCI-003123\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238217.rb\", :line=>1}, @__rule_id=\"SV-238217\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238217.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238217.rb:1"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.2e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.9e-05,"start_time":"2022-12-07T14:54:50-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.3e-05,"start_time":"2022-12-07T14:54:50-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ucredit is expected to cmp == \"-1\"","run_time":0.00084,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf lcredit is expected to cmp == \"-1\"","run_time":0.000652,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dcredit is expected to cmp == \"-1\"","run_time":0.000933,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf difok is expected to cmp >= \"8\"","run_time":0.005165,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf minlen is expected to cmp >= \"15\"","run_time":0.000739,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ocredit is expected to cmp == \"-1\"","run_time":0.001004,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dictcheck is expected to cmp == \"1\"","run_time":0.000859,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":8.0e-06,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.066131,"start_time":"2022-12-07T14:54:51-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":2.9e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.1e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.2e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.1e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.8e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.1e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":9.0e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.8e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.001563,"start_time":"2022-12-07T14:54:57-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.8e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.007705,"start_time":"2022-12-07T14:54:58-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.003173,"start_time":"2022-12-07T14:54:58-05:00","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":0.001283,"start_time":"2022-12-07T14:54:58-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.014109,"start_time":"2022-12-07T14:54:58-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000529,"start_time":"2022-12-07T14:54:58-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.016171,"start_time":"2022-12-07T14:54:58-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238325.rb:1 ","run_time":0.012142,"start_time":"2022-12-07T14:54:58-05:00","message":"undefined method `disable_fips?' for #\"Passwords need to be protected at all times, and encryption is the standard method for\\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\\ntext) and easily compromised.\", :check=>\"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\\n140-2 approved cryptographic hashing algorithm.\\n\\nCheck the hashing algorithm that is\\nbeing used to hash passwords with the following command:\\n\\n$ cat /etc/login.defs | grep -i\\nencrypt_method\\n\\nENCRYPT_METHOD SHA512\\n\\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\\ngreater, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to encrypt all stored passwords.\\n\\nEdit/modify the\\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\\n\\n\\nENCRYPT_METHOD SHA512\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000120-GPOS-00061 \", :gid=>\"V-238325 \", :rid=>\"SV-238325r654150_rule \", :stig_id=>\"UBTU-20-010404 \", :fix_id=>\"F-41494r654149_fix \", :cci=>[\"CCI-000803\"], :nist=>[\"IA-7\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238325.rb\", :line=>1}, @__rule_id=\"SV-238325\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238325.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238325.rb:1"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.071937,"start_time":"2022-12-07T14:54:58-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.053996,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238328.rb:1 ","run_time":0.001049,"start_time":"2022-12-07T14:54:59-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238328.rb:1"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000576,"start_time":"2022-12-07T14:54:59-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000154,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.001114,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000351,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.4e-05,"start_time":"2022-12-07T14:54:59-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000276,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.069542,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.07222,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000569,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":0.000173,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.1e-05,"start_time":"2022-12-07T14:55:00-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.074016,"start_time":"2022-12-07T14:55:00-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.053534,"start_time":"2022-12-07T14:55:00-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000382,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.073799,"start_time":"2022-12-07T14:55:00-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000335,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.087098,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.05107,"start_time":"2022-12-07T14:55:01-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.000202,"start_time":"2022-12-07T14:55:01-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.079208,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000257,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00026,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000257,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000355,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000366,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000794,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000542,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000239,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000263,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.07166,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.000869,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000406,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.063265,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.06682,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.00112,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000375,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000614,"start_time":"2022-12-07T14:55:02-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000561,"start_time":"2022-12-07T14:55:02-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.06502,"start_time":"2022-12-07T14:55:03-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.10233,"start_time":"2022-12-07T14:55:03-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.099327,"start_time":"2022-12-07T14:55:03-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000198,"start_time":"2022-12-07T14:55:03-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.049521,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000577,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.00019,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.4e-05,"start_time":"2022-12-07T14:55:03-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:55:03-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238363.rb:1 ","run_time":0.009804,"start_time":"2022-12-07T14:55:03-05:00","message":"undefined method `disable_fips?' for #\"Use of weak or untested encryption algorithms undermines the purposes of utilizing\\nencryption to protect data. The operating system must implement cryptographic modules\\nadhering to the higher standards approved by the federal government since this provides\\nassurance they have been tested and validated.\", :check=>\"Verify the system is configured to run in FIPS mode with the following command:\\n\\n$ grep -i 1\\n/proc/sys/crypto/fips_enabled\\n1\\n\\nIf a value of \\\"1\\\" is not returned, this is a finding.\", :fix=>\"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\\nUbuntu operating systems install.\\n\\nEnabling a FIPS mode on a pre-existing system involves a\\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\\n140-2 security policy document for instructions.\\n\\nA subscription to the \\\"Ubuntu\\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\\nenable FIPS.\"}, @refs=[], @tags={:severity=>\"high \", :gtitle=>\"SRG-OS-000396-GPOS-00176 \", :satisfies=>[\"SRG-OS-000396-GPOS-00176\", \"SRG-OS-000478-GPOS-00223\"], :gid=>\"V-238363 \", :rid=>\"SV-238363r853438_rule \", :stig_id=>\"UBTU-20-010442 \", :fix_id=>\"F-41532r654263_fix \", :cci=>[\"CCI-002450\"], :nist=>[\"SC-13 b\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238363.rb\", :line=>1}, @__rule_id=\"SV-238363\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238363.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238363.rb:1"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.801298,"start_time":"2022-12-07T14:55:04-05:00","message":"\nexpected: \n got: E3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\nE3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nA7BAA0D13C6E82C40DFC83ADE20BB6FEE275F106CBBE3868DAD81C4E6025B2AC\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n9B5212D92D073B1D5E8D672E94D1FB472F46D15AEA2EE4D131E5C6436B74B86E\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.0e-05,"start_time":"2022-12-07T14:55:04-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.3e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":2.0e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238368.rb:1 ","run_time":0.002411,"start_time":"2022-12-07T14:55:05-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238368.rb:1"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.084417,"start_time":"2022-12-07T14:55:05-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000398,"start_time":"2022-12-07T14:55:05-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000891,"start_time":"2022-12-07T14:55:05-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000624,"start_time":"2022-12-07T14:55:05-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.065597,"start_time":"2022-12-07T14:55:05-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000379,"start_time":"2022-12-07T14:55:05-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000944,"start_time":"2022-12-07T14:55:05-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.001189,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.00025,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":9.2e-05,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":8.4e-05,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00018,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account count is expected to eq 0","run_time":0.00096,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":3.6e-05,"start_time":"2022-12-07T14:55:06-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.090737,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000613,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.083632,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:55:06-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:55:07-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout is expected to be in","run_time":0.087611,"start_time":"2022-12-07T14:55:07-05:00","message":"expected `` to be in the list: `[]`","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":20.254917},"version":"5.18.14"} \ No newline at end of file diff --git a/inspec-test-docker.sh b/inspec-test-docker.sh index 1434055..e808925 100755 --- a/inspec-test-docker.sh +++ b/inspec-test-docker.sh @@ -1,15 +1,15 @@ #!/bin/bash -VANILLA_IMAGE=public.ecr.aws/lts/ubuntu:focal -HARDENED_IMAGE=canonical/ubuntu-pro-stig-20.04:latest +export VANILLA_IMAGE="public.ecr.aws/lts/ubuntu:focal" +export HARDENED_IMAGE="canonical/ubuntu-pro-stig-20.04:latest" echo "BUILD: build the hardened ubuntu image" docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development \ --tag $HARDENED_IMAGE echo "CREATE: create target containers for testing" -docker run -dit --rm --name vanilla-ubuntu $VANILLA_IMAGE -docker run -dit --rm --name hardened-ubuntu $HARDENED_IMAGE\ +docker run -itd --rm --name vanilla-ubuntu $VANILLA_IMAGE +docker run -itd --rm --name hardened-ubuntu $HARDENED_IMAGE docker ps -f name=-ubuntu diff --git a/inspec.lock b/inspec.lock new file mode 100644 index 0000000..e687b9b --- /dev/null +++ b/inspec.lock @@ -0,0 +1,3 @@ +--- +lockfile_version: 1 +depends: [] diff --git a/vanilla.json b/vanilla.json new file mode 100644 index 0000000..4857c6e --- /dev/null +++ b/vanilla.json @@ -0,0 +1 @@ +{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.004252,"start_time":"2022-12-07T14:54:19-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.0e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":3.2e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":2.5e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.058296,"start_time":"2022-12-07T14:54:19-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:20-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.015838,"start_time":"2022-12-07T14:54:20-05:00","message":"expected: >= \"1\"\n got: \"0\"","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.00634,"start_time":"2022-12-07T14:54:20-05:00","message":"\nexpected it to be <= 60\n got: 99999\n\n(compared using `cmp` matcher)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":2.0e-05,"start_time":"2022-12-07T14:54:20-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.010321,"start_time":"2022-12-07T14:54:20-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.131342,"start_time":"2022-12-07T14:54:20-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.010896,"start_time":"2022-12-07T14:54:20-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.001629,"start_time":"2022-12-07T14:54:21-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.075293,"start_time":"2022-12-07T14:54:21-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.001158,"start_time":"2022-12-07T14:54:21-05:00","message":"\nexpected: \"077\"\n got: \"022\"\n\n(compared using ==)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.2e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.7e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.9e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238214.rb:1 ","run_time":0.000621,"start_time":"2022-12-07T14:54:21-05:00","message":"Can't find file: /etc/ssh/sshd_config","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238214.rb:1"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.10416,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.061976,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.045854,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.041146,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.001471,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000973,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238216.rb:1 ","run_time":0.011695,"start_time":"2022-12-07T14:54:22-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\", :check=>\"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\\nwith the following command:\\n\\n$ grep -ir macs /etc/ssh/sshd_config*\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\\ncommented out, this is a finding.\\nIf conflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\\n140-2 approved ciphers.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nRestart the SSH daemon for the changes to take effect:\\n\\n$\\nsudo systemctl reload sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000250-GPOS-00093\", \"SRG-OS-000393-GPOS-00173\"], :gid=>\"V-238216 \", :rid=>\"SV-238216r860820_rule \", :stig_id=>\"UBTU-20-010043 \", :fix_id=>\"F-41385r653822_fix \", :cci=>[\"CCI-001453\", \"CCI-002421\", \"CCI-002890\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238216.rb\", :line=>1}, @__rule_id=\"SV-238216\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238216.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238216.rb:1"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238217.rb:1 ","run_time":0.009444,"start_time":"2022-12-07T14:54:22-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless.\\n\\nNonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\\n\\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\\nsecuring SSH connections.\", :check=>\"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\\nthe following command:\\n\\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\\n\\nCiphers\\naes256-ctr,aes192-ctr,aes128-ctr\\n\\nIf any ciphers other than \\\"aes256-ctr\\\",\\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\\nIf\\nconflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only implement\\nFIPS-approved algorithms.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\n\\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\\n\\nRestart the SSH daemon for the changes to\\ntake effect:\\n\\n$ sudo systemctl restart sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000394-GPOS-00174\"], :gid=>\"V-238217 \", :rid=>\"SV-238217r860821_rule \", :stig_id=>\"UBTU-20-010044 \", :fix_id=>\"F-41386r653825_fix \", :cci=>[\"CCI-000068\", \"CCI-002421\", \"CCI-003123\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238217.rb\", :line=>1}, @__rule_id=\"SV-238217\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238217.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238217.rb:1"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.4e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.5e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.8e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.006084,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001141,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001162,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001027,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000722,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000941,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.003211,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.08109,"start_time":"2022-12-07T14:54:23-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":2.7e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.2e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.3e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.7e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":0.000304,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.000488,"start_time":"2022-12-07T14:54:29-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.8e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.001096,"start_time":"2022-12-07T14:54:30-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.003115,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to include [\"hard\", \"maxlogins\", \"10\"], but it does not respond to `include?`","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000155,"start_time":"2022-12-07T14:54:31-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.003262,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000165,"start_time":"2022-12-07T14:54:31-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.004608,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238325.rb:1 ","run_time":0.004259,"start_time":"2022-12-07T14:54:31-05:00","message":"undefined method `disable_fips?' for #\"Passwords need to be protected at all times, and encryption is the standard method for\\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\\ntext) and easily compromised.\", :check=>\"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\\n140-2 approved cryptographic hashing algorithm.\\n\\nCheck the hashing algorithm that is\\nbeing used to hash passwords with the following command:\\n\\n$ cat /etc/login.defs | grep -i\\nencrypt_method\\n\\nENCRYPT_METHOD SHA512\\n\\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\\ngreater, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to encrypt all stored passwords.\\n\\nEdit/modify the\\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\\n\\n\\nENCRYPT_METHOD SHA512\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000120-GPOS-00061 \", :gid=>\"V-238325 \", :rid=>\"SV-238325r654150_rule \", :stig_id=>\"UBTU-20-010404 \", :fix_id=>\"F-41494r654149_fix \", :cci=>[\"CCI-000803\"], :nist=>[\"IA-7\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238325.rb\", :line=>1}, @__rule_id=\"SV-238325\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238325.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238325.rb:1"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.086291,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.068081,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238328.rb:1 ","run_time":0.001869,"start_time":"2022-12-07T14:54:31-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238328.rb:1"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000979,"start_time":"2022-12-07T14:54:31-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000305,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.001289,"start_time":"2022-12-07T14:54:31-05:00","message":"\nexpected it to be > \"0\"\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.001169,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected it to be <= 35\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.8e-05,"start_time":"2022-12-07T14:54:32-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.001558,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.078525,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.05643,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000697,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":0.000372,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.2e-05,"start_time":"2022-12-07T14:54:32-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.09734,"start_time":"2022-12-07T14:54:32-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.041653,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000594,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected: 0\n got: 9\n\n(compared using ==)\n","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.084576,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000562,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.102363,"start_time":"2022-12-07T14:54:33-05:00","message":"expected `Directory /var/log.more_permissive_than?(\"0750\")` to be falsey, got true","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.071662,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.000831,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.097681,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000417,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000935,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000765,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000468,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000605,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000804,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000497,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000502,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000401,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.088083,"start_time":"2022-12-07T14:54:34-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.003143,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000273,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.077424,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.055247,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000786,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000308,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000293,"start_time":"2022-12-07T14:54:35-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000891,"start_time":"2022-12-07T14:54:35-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.160071,"start_time":"2022-12-07T14:54:35-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.148687,"start_time":"2022-12-07T14:54:35-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.084282,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000111,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.056505,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000638,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.00022,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":2.3e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238363.rb:1 ","run_time":0.007205,"start_time":"2022-12-07T14:54:36-05:00","message":"undefined method `disable_fips?' for #\"Use of weak or untested encryption algorithms undermines the purposes of utilizing\\nencryption to protect data. The operating system must implement cryptographic modules\\nadhering to the higher standards approved by the federal government since this provides\\nassurance they have been tested and validated.\", :check=>\"Verify the system is configured to run in FIPS mode with the following command:\\n\\n$ grep -i 1\\n/proc/sys/crypto/fips_enabled\\n1\\n\\nIf a value of \\\"1\\\" is not returned, this is a finding.\", :fix=>\"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\\nUbuntu operating systems install.\\n\\nEnabling a FIPS mode on a pre-existing system involves a\\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\\n140-2 security policy document for instructions.\\n\\nA subscription to the \\\"Ubuntu\\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\\nenable FIPS.\"}, @refs=[], @tags={:severity=>\"high \", :gtitle=>\"SRG-OS-000396-GPOS-00176 \", :satisfies=>[\"SRG-OS-000396-GPOS-00176\", \"SRG-OS-000478-GPOS-00223\"], :gid=>\"V-238363 \", :rid=>\"SV-238363r853438_rule \", :stig_id=>\"UBTU-20-010442 \", :fix_id=>\"F-41532r654263_fix \", :cci=>[\"CCI-002450\"], :nist=>[\"SC-13 b\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238363.rb\", :line=>1}, @__rule_id=\"SV-238363\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238363.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238363.rb:1"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.08347,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.4e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.3e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":1.5e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238368.rb:1 ","run_time":0.001713,"start_time":"2022-12-07T14:54:37-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238368.rb:1"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.113521,"start_time":"2022-12-07T14:54:37-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000297,"start_time":"2022-12-07T14:54:37-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000794,"start_time":"2022-12-07T14:54:37-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.007542,"start_time":"2022-12-07T14:54:37-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.087498,"start_time":"2022-12-07T14:54:37-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000972,"start_time":"2022-12-07T14:54:37-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.00133,"start_time":"2022-12-07T14:54:37-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.001391,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.002503,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.001172,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.001242,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00013,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /bin/wall is expected not to be more permissive than \"0755\"","run_time":0.086797,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/wall\"]","resource_id":"/bin/wall"},{"status":"passed","code_desc":"File /bin/chage is expected not to be more permissive than \"0755\"","run_time":0.054039,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/chage\"]","resource_id":"/bin/chage"},{"status":"passed","code_desc":"File /bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.058401,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/expiry\"]","resource_id":"/bin/expiry"},{"status":"passed","code_desc":"File /sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.068712,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/sbin/pam_extrausers_chkpwd\"]","resource_id":"/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.071113,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/sbin/unix_chkpwd\"]","resource_id":"/sbin/unix_chkpwd"},{"status":"passed","code_desc":"File /usr/bin/wall is expected not to be more permissive than \"0755\"","run_time":0.05648,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/wall\"]","resource_id":"/usr/bin/wall"},{"status":"passed","code_desc":"File /usr/bin/chage is expected not to be more permissive than \"0755\"","run_time":0.049994,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/chage\"]","resource_id":"/usr/bin/chage"},{"status":"passed","code_desc":"File /usr/bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.069141,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/expiry\"]","resource_id":"/usr/bin/expiry"},{"status":"passed","code_desc":"File /usr/sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.054755,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/pam_extrausers_chkpwd\"]","resource_id":"/usr/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /usr/sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.049479,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/unix_chkpwd\"]","resource_id":"/usr/sbin/unix_chkpwd"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.9e-05,"start_time":"2022-12-07T14:54:39-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.085026,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.00073,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.081518,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:39-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":0.00026,"start_time":"2022-12-07T14:54:39-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout is expected to be in","run_time":0.089551,"start_time":"2022-12-07T14:54:39-05:00","message":"expected `` to be in the list: `[]`","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":20.41749},"version":"5.18.14"} \ No newline at end of file From 4ff1f2627e497eb29a755b786cc0207bd5e462d8 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 14:59:54 -0500 Subject: [PATCH 062/100] typo Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 25056c4..09b726a 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -16,10 +16,8 @@ jobs: LC_ALL: "en_US.UTF-8" VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" - # strategy: - # matrix: - # suite: ['vanilla','hardened'] - # fail-fast: false + strategy: + fail-fast: false steps: - name: add needed packages run: sudo apt-get install -y jq @@ -40,8 +38,7 @@ jobs: - name: Lint the Inspec profile run: bundle exec inspec check . -name: Build the Hardened Container - run: docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development \ - --tag $HARDENED_IMAGE + run: docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag $HARDENED_IMAGE - name: Start the Vanilla Container run: docker run -itd --rm --name vanilla-ubuntu $VANILLA_IMAGE - name: Start the Hardened Container From ce016ea3218d12903e902f6ec84d879eecf485d8 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:02:06 -0500 Subject: [PATCH 063/100] typo2 Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 09b726a..b6136bf 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -8,7 +8,7 @@ on: jobs: validate: - name: Validate my profile + name: Validate my Profile on Containers runs-on: ubuntu-latest env: CHEF_LICENSE: accept-silent @@ -31,7 +31,8 @@ jobs: ruby-version: '2.7' - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - - run: bundle install + - name: Bundle install + run: bundle install # - name: Regenerate current `profile.json` # run: | # bundle exec inspec json . | jq . > profile.json From 9a53dabe89eeb9994add3a363d61b287df2eb7f9 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:04:11 -0500 Subject: [PATCH 064/100] typo3 Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index b6136bf..48d3191 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -16,8 +16,6 @@ jobs: LC_ALL: "en_US.UTF-8" VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" - strategy: - fail-fast: false steps: - name: add needed packages run: sudo apt-get install -y jq From 838ecf95a1ad731dbc8a0094b6f1661206bdd65c Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:21:55 -0500 Subject: [PATCH 065/100] syntax fix Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 48d3191..8e42498 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -2,9 +2,9 @@ name: Container Testing Matrix on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] + branches: [main] jobs: validate: @@ -26,7 +26,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@v1 with: - ruby-version: '2.7' + ruby-version: "2.7" - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - name: Bundle install @@ -36,7 +36,7 @@ jobs: # bundle exec inspec json . | jq . > profile.json - name: Lint the Inspec profile run: bundle exec inspec check . - -name: Build the Hardened Container + - name: Build the Hardened Container run: docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag $HARDENED_IMAGE - name: Start the Vanilla Container run: docker run -itd --rm --name vanilla-ubuntu $VANILLA_IMAGE From a31da951bdb3612af164cb39b0344d8cf0eb73bd Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:34:21 -0500 Subject: [PATCH 066/100] added the rest of the workflow Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 49 ++++++++++++++------------ 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 8e42498..265c49d 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -11,8 +11,6 @@ jobs: name: Validate my Profile on Containers runs-on: ubuntu-latest env: - CHEF_LICENSE: accept-silent - KITCHEN_LOCAL_YAML: kitchen.container.yml LC_ALL: "en_US.UTF-8" VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" @@ -31,9 +29,6 @@ jobs: run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - name: Bundle install run: bundle install - # - name: Regenerate current `profile.json` - # run: | - # bundle exec inspec json . | jq . > profile.json - name: Lint the Inspec profile run: bundle exec inspec check . - name: Build the Hardened Container @@ -44,20 +39,30 @@ jobs: run: docker run -itd --rm --name hardened-ubuntu $HARDENED_IMAGE - name: Verify both our containers are running run: docker ps -f name=-ubuntu - - name: Test $VANILLA_IMAGE - run: inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter json:vanilla.json progress-bar - # # - name: Run kitchen test - # # run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true - # - name: Display our ${{ matrix.suite }} results summary - # uses: mitre/saf_action@v1 - # with: - # command_string: 'view summary -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json' - # - name: Ensure the scan meets our ${{ matrix.suite }} results threshold - # uses: mitre/saf_action@v1 - # with: - # command_string: 'validate threshold -i spec/results/container_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' - # - name: Save Test Result JSONs - # if: ${{ always() }} - # uses: actions/upload-artifact@v2 - # with: - # path: spec/results/ + - name: Test Vanilla Container + run: inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter cli json:vanilla.json || true + - name: Test Hardened Container + run: inspec exec . --input-file=container.inputs.yml -t docker://hardened-ubuntu --reporter cli json:hardened.json || true + - name: Display our Vanilla Summary + uses: mitre/saf_action@v1 + with: + command_string: "view summary -i vanilla.json" + - name: Display our Hardened Summary + uses: mitre/saf_action@v1 + with: + command_string: "view summary -i hardened.json" + - name: Ensure the scan meets our Vanilla results threshold + uses: mitre/saf_action@v1 + with: + command_string: "validate threshold -i vanilla.json -F vanilla.threshold.yml" + - name: Ensure the scan meets our Hardened results threshold + uses: mitre/saf_action@v1 + with: + command_string: "validate threshold -i hardened.json -F hardened.threshold.yml" + - name: Save Test Result JSONs + if: ${{ always() }} + uses: actions/upload-artifact@v2 + with: + path: + - hardened.json + - vanilla.json From 9af7e5e9c0e5bf88f78573b1c6f0e6f0eab64d58 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:39:44 -0500 Subject: [PATCH 067/100] fixed missing item in workflow task Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 265c49d..5965c9a 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -61,8 +61,8 @@ jobs: command_string: "validate threshold -i hardened.json -F hardened.threshold.yml" - name: Save Test Result JSONs if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: - path: - - hardened.json - - vanilla.json + path: | + vanilla.json + hardened.json From b114d0500f70a32a000767de6eb0e1e5263ba666 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:41:36 -0500 Subject: [PATCH 068/100] readded chef license accept Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 5965c9a..5dc8351 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -14,6 +14,7 @@ jobs: LC_ALL: "en_US.UTF-8" VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" + CHEF_LICENSE: "accpet-silent" steps: - name: add needed packages run: sudo apt-get install -y jq From 086e10ceff4938f74a5c138c1bfa0e2d1e497530 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:43:47 -0500 Subject: [PATCH 069/100] fixed spelling on Chef License env var Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 5dc8351..e37dc21 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -14,7 +14,7 @@ jobs: LC_ALL: "en_US.UTF-8" VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal" HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest" - CHEF_LICENSE: "accpet-silent" + CHEF_LICENSE: "accept-silent" steps: - name: add needed packages run: sudo apt-get install -y jq From 1434479519f135f318543f0371df82c863722eb2 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 15:57:17 -0500 Subject: [PATCH 070/100] fixed thresholds for containers and broke things out a bit Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 4 ++-- container.hardened.threshold.yml | 3 +++ container.threshold.yml | 0 container.vanilla.threshold.yml | 3 +++ 4 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 container.hardened.threshold.yml delete mode 100644 container.threshold.yml create mode 100644 container.vanilla.threshold.yml diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index e37dc21..d29239b 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -55,11 +55,11 @@ jobs: - name: Ensure the scan meets our Vanilla results threshold uses: mitre/saf_action@v1 with: - command_string: "validate threshold -i vanilla.json -F vanilla.threshold.yml" + command_string: "validate threshold -i vanilla.json -F container.vanilla.threshold.yml" - name: Ensure the scan meets our Hardened results threshold uses: mitre/saf_action@v1 with: - command_string: "validate threshold -i hardened.json -F hardened.threshold.yml" + command_string: "validate threshold -i hardened.json -F container.hardened.threshold.yml" - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v3 diff --git a/container.hardened.threshold.yml b/container.hardened.threshold.yml new file mode 100644 index 0000000..098ef33 --- /dev/null +++ b/container.hardened.threshold.yml @@ -0,0 +1,3 @@ +--- +compliance.min: 40 +error.total.max: 8 diff --git a/container.threshold.yml b/container.threshold.yml deleted file mode 100644 index e69de29..0000000 diff --git a/container.vanilla.threshold.yml b/container.vanilla.threshold.yml new file mode 100644 index 0000000..c14e7c7 --- /dev/null +++ b/container.vanilla.threshold.yml @@ -0,0 +1,3 @@ +--- +compliance.min: 30 +error.total.max: 8 From 3c1c6d60d15413cc18011f0bcba8f1a5185c7e5d Mon Sep 17 00:00:00 2001 From: Will Dower Date: Wed, 7 Dec 2022 16:28:58 -0500 Subject: [PATCH 071/100] adding python3-pip dependency outside of kitchen files Signed-off-by: Will Dower --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index b2692cc..f78a735 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -21,7 +21,7 @@ jobs: fail-fast: false steps: - name: add needed packages - run: sudo apt-get install -y jq + run: sudo apt-get install -y jq python3-pip - name: Configure AWS credentials env: AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} From e8a103e806d112623292e9a0c07413654100e329 Mon Sep 17 00:00:00 2001 From: Will Dower Date: Wed, 7 Dec 2022 16:47:48 -0500 Subject: [PATCH 072/100] switching from apt to apt-get Signed-off-by: Will Dower --- .github/workflows/verify-ec2.yml | 2 +- kitchen.ec2.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index f78a735..b2692cc 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -21,7 +21,7 @@ jobs: fail-fast: false steps: - name: add needed packages - run: sudo apt-get install -y jq python3-pip + run: sudo apt-get install -y jq - name: Configure AWS credentials env: AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }} diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 6c92320..44831e6 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -21,12 +21,12 @@ verifier: lifecycle: pre_converge: - remote: | - echo "prepping apt" - sudo apt -f install - sudo apt update -y - sudo apt dist-upgrade -y + echo "prepping apt-get to install dependencies" + sudo apt-get -f install + sudo apt-get update -y + sudo apt-get dist-upgrade -y echo "installing pip3" - sudo apt install python3-pip -y + sudo apt-get install python3-pip -y transport: name: ssh # username: <%= ENV['SAF_AWS_EC2_USER'] %> From a26e8a6fe157207665d43be323d276992c24ecf4 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 18:33:34 -0500 Subject: [PATCH 073/100] working on ec2 testings Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 44831e6..14869fe 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -1,13 +1,8 @@ --- driver: name: ec2 - # aws_ssh_key_id: <%= ENV['SAF_AWS_SSH_KEY_ID'] %> - # user_data: ./user_data.sh tags: - POC: 'SAF Github Actions' - # security_group_ids: <%= ENV['SAF_AWS_SG_ID'] %> - #region: <%= ENV['SAF_AWS_REGION'] %> - # subnet_id: <%= ENV['SAF_AWS_SUBNET_ID'] %> + POC: "SAF Github Actions" instance_type: t2.large associate_public_ip: true @@ -21,15 +16,10 @@ verifier: lifecycle: pre_converge: - remote: | - echo "prepping apt-get to install dependencies" - sudo apt-get -f install - sudo apt-get update -y - sudo apt-get dist-upgrade -y - echo "installing pip3" - sudo apt-get install python3-pip -y + sudo add-apt-repository universe + sudo apt-get -y update + sudo apt-get -y install build-essential python3-pip transport: name: ssh - # username: <%= ENV['SAF_AWS_EC2_USER'] %> - # ssh_key: <%= ENV['SAF_AWS_EC2_SSH_KEY'] %> connection_timeout: 10 connection_retries: 5 From ebfe00da602ce20ae24114d8af2b5b768c639432 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 18:46:16 -0500 Subject: [PATCH 074/100] removing build-essentials from the list Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 14869fe..35962c2 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -18,7 +18,7 @@ lifecycle: - remote: | sudo add-apt-repository universe sudo apt-get -y update - sudo apt-get -y install build-essential python3-pip + sudo apt-get -y install python3-pip transport: name: ssh connection_timeout: 10 From d73aea103392dbeef66405c367c9313ced95d3ea Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 18:57:14 -0500 Subject: [PATCH 075/100] trying another method Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 35962c2..b0eec72 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -16,8 +16,11 @@ verifier: lifecycle: pre_converge: - remote: | + sudo add-apt-repository universe + sudo apt -f install sudo apt-get -y update + sudo apt-get -y dist-upgrade sudo apt-get -y install python3-pip transport: name: ssh From 4102a213f22c30b812062d5193f4282a5cf59465 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Wed, 7 Dec 2022 19:07:24 -0500 Subject: [PATCH 076/100] removed undeed newlines, updated profile errors for now Signed-off-by: Aaron Lippold --- hardened.threshold.yml | 2 +- kitchen.ec2.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/hardened.threshold.yml b/hardened.threshold.yml index 043ddab..6b5ede1 100644 --- a/hardened.threshold.yml +++ b/hardened.threshold.yml @@ -1,3 +1,3 @@ --- compliance.min: 75 -error.total.max: 0 +error.total.max: 8 diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index b0eec72..91b50bd 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -16,7 +16,6 @@ verifier: lifecycle: pre_converge: - remote: | - sudo add-apt-repository universe sudo apt -f install sudo apt-get -y update From 18d8cf9196f8543ac0e6b1897e46fb21994ef5ba Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 11:47:20 -0500 Subject: [PATCH 077/100] trying with apt vs apt-get Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 91b50bd..438842f 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -13,14 +13,14 @@ verifier: - cli - json:spec/results/ec2_ubuntu-2004_%{suite}.json -lifecycle: +lifecycle:s pre_converge: - remote: | sudo add-apt-repository universe sudo apt -f install - sudo apt-get -y update - sudo apt-get -y dist-upgrade - sudo apt-get -y install python3-pip + sudo apt -y update + sudo apt -y full-upgrade + sudo apt -y install python3-pip transport: name: ssh connection_timeout: 10 From 99156c1124061ad8feaf43f7cae71bb583a3b41d Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 11:51:22 -0500 Subject: [PATCH 078/100] typo Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 438842f..c07f24d 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -13,7 +13,7 @@ verifier: - cli - json:spec/results/ec2_ubuntu-2004_%{suite}.json -lifecycle:s +lifecycle: pre_converge: - remote: | sudo add-apt-repository universe From 908ddcb3cb618d7a7556d0ef016eca1100134ea7 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 11:54:39 -0500 Subject: [PATCH 079/100] tying without the pip3 requirement Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 2 +- kitchen.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index c07f24d..44e92e0 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -20,7 +20,7 @@ lifecycle: sudo apt -f install sudo apt -y update sudo apt -y full-upgrade - sudo apt -y install python3-pip +# sudo apt -y install python3-pip transport: name: ssh connection_timeout: 10 diff --git a/kitchen.yml b/kitchen.yml index b3e35a1..c4c51f1 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -4,7 +4,7 @@ provisioner: hosts: all require_chef_for_busser: false require_ruby_for_busser: false - require_pip3: true + require_pip3: false ansible_binary_path: /usr/local/bin ansible_verbose: true roles_path: spec/ansible/roles/ From 6c73fc5cf76e29f163be9e5c7cae221fe8dc6192 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 12:10:01 -0500 Subject: [PATCH 080/100] moving away from pip to repo install Signed-off-by: Aaron Lippold --- kitchen.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kitchen.yml b/kitchen.yml index c4c51f1..c5c9030 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -4,9 +4,9 @@ provisioner: hosts: all require_chef_for_busser: false require_ruby_for_busser: false - require_pip3: false - ansible_binary_path: /usr/local/bin + require_ansible_repo: true ansible_verbose: true + ansible_version: latest roles_path: spec/ansible/roles/ galaxy_ignore_certs: true env_vars: From dbdf5c3d2416426dacd4d163adc495f8a39a3f7f Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 13:06:54 -0500 Subject: [PATCH 081/100] upddated playbook for bug in conditional, added missing variable, moved off pip3 ansible install Signed-off-by: Aaron Lippold --- kitchen.ec2.yml | 1 - kitchen.yml | 3 +- .../stig-hardening/tasks/common-sysctl.yml | 62 +++++++-------- .../roles/stig-hardening/vars/main.yml | 75 ++++++++++--------- 4 files changed, 71 insertions(+), 70 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 44e92e0..995a83c 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -20,7 +20,6 @@ lifecycle: sudo apt -f install sudo apt -y update sudo apt -y full-upgrade -# sudo apt -y install python3-pip transport: name: ssh connection_timeout: 10 diff --git a/kitchen.yml b/kitchen.yml index c5c9030..db9ac9e 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -6,9 +6,10 @@ provisioner: require_ruby_for_busser: false require_ansible_repo: true ansible_verbose: true + ansible_verbosity: 3 ansible_version: latest - roles_path: spec/ansible/roles/ galaxy_ignore_certs: true + roles_path: spec/ansible/roles/ env_vars: - ANSIBLE_LOCAL_TEMP=$HOME/.ansible/tmp - ANSIBLE_REMOTE_TEMP=$HOME/.ansible/tmp diff --git a/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml b/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml index 75e14a1..ca17084 100644 --- a/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml +++ b/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml @@ -3,30 +3,30 @@ name: "{{ item.name }}" value: "{{ item.value }}" reload: yes - with_items: - - name: net.ipv4.conf.all.accept_source_route - value: 0 - - name: net.ipv4.conf.default.accept_source_route - value: 0 - - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - - name: net.ipv4.conf.all.send_redirects - value: 0 - - name: net.ipv4.conf.default.send_redirects - value: 0 - - name: net.ipv6.conf.all.accept_source_route - value: 0 - - name: net.ipv4.conf.default.accept_redirects - value: 0 - - name: kernel.randomize_va_space - value: 2 - - name: net.ipv6.conf.all.disable_ipv6 - value: 0 - - name: net.ipv4.tcp_syncookies - value: 1 + with_items: + - name: net.ipv4.conf.all.accept_source_route + value: 0 + - name: net.ipv4.conf.default.accept_source_route + value: 0 + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + - name: net.ipv4.conf.all.send_redirects + value: 0 + - name: net.ipv4.conf.default.send_redirects + value: 0 + - name: net.ipv6.conf.all.accept_source_route + value: 0 + - name: net.ipv4.conf.default.accept_redirects + value: 0 + - name: kernel.randomize_va_space + value: 2 + - name: net.ipv6.conf.all.disable_ipv6 + value: 0 + - name: net.ipv4.tcp_syncookies + value: 1 tags: - - V-219330 - - V-219342 + - V-219330 + - V-219342 - name: "sysctl: --protect-kernel-defaults" sysctl: @@ -34,16 +34,16 @@ value: "{{ item.value }}" reload: yes with_items: - - name: vm.overcommit_memory - value: 1 - - name: kernel.panic - value: 10 - - name: kernel.panic_on_oops - value: 1 + - name: vm.overcommit_memory + value: 1 + - name: kernel.panic + value: 10 + - name: kernel.panic_on_oops + value: 1 when: - install_protect_kernel_defaults: true + - install_protect_kernel_defaults -- name: "sysctl: fs.suid_dumpable " +- name: "sysctl: fs.suid_dumpable" blockinfile: dest: /etc/systemd/coredump.conf block: | diff --git a/spec/ansible/roles/stig-hardening/vars/main.yml b/spec/ansible/roles/stig-hardening/vars/main.yml index 77f4010..28d2b3d 100644 --- a/spec/ansible/roles/stig-hardening/vars/main.yml +++ b/spec/ansible/roles/stig-hardening/vars/main.yml @@ -1,5 +1,6 @@ install_fips: no install_aide: yes +install_protect_kernel_defaults: true install_chrony: yes install_audispd_plugins: yes remove_existing_ca_certs: no @@ -7,34 +8,34 @@ UBUNTU_ADVANTAGE_PASSWORD: "{{ lookup('env','UBUNTU_ADVANTAGE_PASSWORD') }}" UBUNTU_ADVANTAGE_PASSWORD_UPDATES: "{{ lookup('env','UBUNTU_ADVANTAGE_PASSWORD_UPDATES') }}" UBUNTU_FIPS_SUBSCRIPTION_ID: "{{ lookup('env','UBUNTU_FIPS_SUBSCRIPTION_ID') }}" install_packages: -- apparmor -- apparmor-profiles -- apparmor-utils -- auditd -- ca-certificates -- libpam-pkcs11 -- libpam-pwquality -- libpwquality-common -- opensc-pkcs11 -- openssh-client -- openssh-server -- ufw -- unattended-upgrades -- vlock + - apparmor + - apparmor-profiles + - apparmor-utils + - auditd + - ca-certificates + - libpam-pkcs11 + - libpam-pwquality + - libpwquality-common + - opensc-pkcs11 + - openssh-client + - openssh-server + - ufw + - unattended-upgrades + - vlock remove_packages: -- rsh-server -- telnetd -- tftpd -- nis -- at -- landscape-client -- landscape-common -- mlocate -- pollinate -- postfix -- screen -- byobu -- os-prober + - rsh-server + - telnetd + - tftpd + - nis + - at + - landscape-client + - landscape-common + - mlocate + - pollinate + - postfix + - screen + - byobu + - os-prober login_banner: | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. @@ -60,15 +61,15 @@ limits_maxlogins: 10 autologout_timeout: 600 pam_fail_delay: 4 sudo_users: -- ubuntu + - ubuntu audit_tools: -- /sbin/audispd -- /sbin/auditctl -- /sbin/auditd -- /sbin/augenrules -- /sbin/aureport -- /sbin/ausearch -- /sbin/autrace + - /sbin/audispd + - /sbin/auditctl + - /sbin/auditd + - /sbin/augenrules + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace chrony_time_sources: -- 169.254.169.123 -audit_sp_remote_server: 192.0.0.1 \ No newline at end of file + - 169.254.169.123 +audit_sp_remote_server: 192.0.0.1 From 1a5a5fc44402b33b77d197018c2035f8a543e010 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 13:13:15 -0500 Subject: [PATCH 082/100] updated the ansible verbosity to be less detailed Signed-off-by: Aaron Lippold --- kitchen.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kitchen.yml b/kitchen.yml index db9ac9e..0782194 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -6,7 +6,7 @@ provisioner: require_ruby_for_busser: false require_ansible_repo: true ansible_verbose: true - ansible_verbosity: 3 + ansible_verbosity: 2 ansible_version: latest galaxy_ignore_certs: true roles_path: spec/ansible/roles/ From 26a47c2952604a2020d334f037f194dfa652bc15 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 14:24:03 -0500 Subject: [PATCH 083/100] updated vanilla threshold to account for current errors Signed-off-by: Aaron Lippold --- vanilla.threshold.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vanilla.threshold.yml b/vanilla.threshold.yml index 5996b0e..8b7b120 100644 --- a/vanilla.threshold.yml +++ b/vanilla.threshold.yml @@ -1,3 +1,3 @@ --- compliance.min: 5 -error.total.max: 0 +error.total.max: 8 From 1b88b7453999261605ab19243f9e148742aec3cd Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 14:45:41 -0500 Subject: [PATCH 084/100] updated vagrant testing to only run on release Signed-off-by: Aaron Lippold --- .github/workflows/verify-vagrant.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index cefc71a..129a6d4 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -1,22 +1,18 @@ name: Vagrant Testing Matrix - on: - push: - branches: [ main ] - pull_request: - branches: [ main ] + release: + types: [published] jobs: validate: name: Validate my profile - # macos-latest no longer has Vagrant. Must use the specified version per documentation. runs-on: macos-12 env: CHEF_LICENSE: accept-silent KITCHEN_LOCAL_YAML: kitchen.vagrant.yml strategy: matrix: - suite: ['hardened'] + suite: ["hardened"] fail-fast: false steps: - name: Add jq for output formatting @@ -26,7 +22,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@v1 with: - ruby-version: '2.7' + ruby-version: "2.7" - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - name: ensure bundler up-to-date @@ -42,13 +38,13 @@ jobs: - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json' + command_string: "view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json" - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: "validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v2 with: - path: spec/results/ \ No newline at end of file + path: spec/results/ From b921f197629769efbcc3c3400ef1a8ffefb9c0d0 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 15:35:22 -0500 Subject: [PATCH 085/100] ensured that all the kictchen files run as sudo, updated the FIPS controls to better use inputs. Signed-off-by: Aaron Lippold --- controls/SV-238216.rb | 18 ++++++++---------- controls/SV-238217.rb | 18 ++++++++---------- controls/SV-238325.rb | 12 +++++++----- controls/SV-238363.rb | 16 +++++++--------- ec2.inputs.yml | 3 ++- kitchen.container.yml | 12 ++++++------ kitchen.ec2.yml | 1 + kitchen.vagrant.yml | 1 + 8 files changed, 40 insertions(+), 41 deletions(-) diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 85b4878..8a45817 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -54,24 +54,22 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173) + tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173] tag gid: 'V-238216 ' tag rid: 'SV-238216r860820_rule ' tag stig_id: 'UBTU-20-010043 ' tag fix_id: 'F-41385r653822_fix ' - tag cci: %w(CCI-001453 CCI-002421 CCI-002890) + tag cci: %w[CCI-001453 CCI-002421 CCI-002890] tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - disable_fips = input('disable_fips') - - if disable_fips? + if input('disable_fips') impact 0.0 - describe "Control not applicable" do - skip "Control not applicable" + describe 'FIPS testing has been disabled' do + skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input' end elsif virtualization.system.eql?('docker') - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'FIPS validation in a container must be reviewed manually' do + skip 'FIPS validation in a container must be reviewed manually' end else @macs_array = inspec.sshd_config.params['macs'] @@ -79,7 +77,7 @@ @macs_array = @macs_array.first.split(',') unless @macs_array.nil? describe @macs_array do - it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } + it { should be_in %w[hmac-sha2-256 hmac-sha2-512] } end end end diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index a3442f9..f9f6ab7 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -60,24 +60,22 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174) + tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174] tag gid: 'V-238217 ' tag rid: 'SV-238217r860821_rule ' tag stig_id: 'UBTU-20-010044 ' tag fix_id: 'F-41386r653825_fix ' - tag cci: %w(CCI-000068 CCI-002421 CCI-003123) + tag cci: %w[CCI-000068 CCI-002421 CCI-003123] tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] - disable_fips = input('disable_fips') - - if disable_fips? + if input('disable_fips') impact 0.0 - describe 'Control not applicable' do - skip 'Control not applicable' + describe 'FIPS testing has been disabled' do + skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input' end elsif virtualization.system.eql?('docker') - describe 'Manual test' do - skip 'This control must be reviewed manually' + describe 'FIPS validation in a container must be reviewed manually' do + skip 'FIPS validation in a container must be reviewed manually' end else @ciphers_array = inspec.sshd_config.params['ciphers'] @@ -85,7 +83,7 @@ @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? describe @ciphers_array do - it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) } + it { should be_in %w[aes256-ctr aes192-ctr aes128-ctr] } end end end diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 44422c6..474f815 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -34,12 +34,14 @@ tag cci: ['CCI-000803'] tag nist: ['IA-7'] - disable_fips = input('disable_fips') - - if disable_fips? + if input('disable_fips') impact 0.0 - describe 'Control not applicable' do - skip 'Control not applicable' + describe 'FIPS testing has been disabled' do + skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input' + end + elsif virtualization.system.eql?('docker') + describe 'FIPS validation in a container must be reviewed manually' do + skip 'FIPS validation in a container must be reviewed manually' end elsif virtualization.system.eql?('docker') describe 'Manual test' do diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index c55e93e..96cf6c8 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -30,7 +30,7 @@ impact 0.7 tag severity: 'high ' tag gtitle: 'SRG-OS-000396-GPOS-00176 ' - tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223) + tag satisfies: %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223] tag gid: 'V-238363 ' tag rid: 'SV-238363r853438_rule ' tag stig_id: 'UBTU-20-010442 ' @@ -38,16 +38,14 @@ tag cci: ['CCI-002450'] tag nist: ['SC-13 b'] - disable_fips = input('disable_fips') - - if disable_fips? + if input('disable_fips') impact 0.0 - describe "Control not applicable" do - skip "Control not applicable" + describe 'FIPS testing has been disabled' do + skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input' end elsif virtualization.system.eql?('docker') - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'FIPS validation in a container must be reviewed manually' do + skip 'FIPS validation in a container must be reviewed manually' end else config_file = input('fips_config_file') @@ -55,7 +53,7 @@ if config_file_exists describe file(config_file) do - its('content') { should match /\A1\Z/ } + its('content') { should match(/\A1\Z/) } end else describe('FIPS is enabled') do diff --git a/ec2.inputs.yml b/ec2.inputs.yml index bc7a16b..0214a81 100644 --- a/ec2.inputs.yml +++ b/ec2.inputs.yml @@ -1 +1,2 @@ -is_system_networked: true \ No newline at end of file +is_system_networked: true +disable_fips: false diff --git a/kitchen.container.yml b/kitchen.container.yml index ae67e09..ef08f8d 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -8,6 +8,7 @@ provisioner: name: dummy verifier: + sudo: true input_files: - container.inputs.yml reporter: @@ -17,11 +18,11 @@ verifier: suites: - name: vanilla platforms: - - name: ubuntu-20.04 - driver_config: - image: public.ecr.aws/lts/ubuntu:focal - platform: ubuntu - + - name: ubuntu-20.04 + driver_config: + image: public.ecr.aws/lts/ubuntu:focal + platform: ubuntu + - name: hardened platforms: - name: ubuntu-20.04 @@ -31,4 +32,3 @@ suites: lifecycle: pre_create: | docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag canonical/ubuntu-pro-stig-20.04:latest - \ No newline at end of file diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 995a83c..8a8dc79 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -7,6 +7,7 @@ driver: associate_public_ip: true verifier: + sudo: true input_files: - ec2.inputs.yml reporter: diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml index 49a8e94..1b4397a 100644 --- a/kitchen.vagrant.yml +++ b/kitchen.vagrant.yml @@ -3,6 +3,7 @@ driver: name: vagrant verifier: + sudo: true input_files: - vagrant.inputs.yml From 75fb0209b0f824ac15110e3723eaf0aee0b1d47a Mon Sep 17 00:00:00 2001 From: aaronlippold Date: Thu, 8 Dec 2022 20:36:26 +0000 Subject: [PATCH 086/100] Updating profile.json in the repository --- profile.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/profile.json b/profile.json index 48cafc5..5342bf8 100644 --- a/profile.json +++ b/profile.json @@ -385,7 +385,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n", + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174]\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w[CCI-000068 CCI-002421 CCI-003123]\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w[aes256-ctr aes192-ctr aes128-ctr] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238217.rb", "line": 1 @@ -425,7 +425,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173]\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w[CCI-001453 CCI-002421 CCI-002890]\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w[hmac-sha2-256 hmac-sha2-512] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238216.rb", "line": 1 @@ -1995,7 +1995,7 @@ "IA-7" ] }, - "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", + "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238325.rb", "line": 1 @@ -3133,7 +3133,7 @@ "SC-13 b" ] }, - "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223]\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238363.rb", "line": 1 @@ -6862,7 +6862,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682", + "sha256": "157f0c4d0e7c7d7e280aa4923b3e24c29ff1c61320f1fed00829180aadc7fdaf", "status_message": "", "status": "loaded", "generator": { From 5cd74e669047f404824e08145167486154bee6c3 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 16:40:03 -0500 Subject: [PATCH 087/100] resolved all profile errors for ec2 and container, excluded a couple more controls in the container context, fixed a few control style issues, updated all thresholds for current values Signed-off-by: Aaron Lippold --- container.hardened.threshold.yml | 4 +-- container.vanilla.threshold.yml | 4 +-- controls/SV-238214.rb | 61 +++++++++++++++++++------------- controls/SV-238299.rb | 15 +++++--- controls/SV-238328.rb | 25 ++++++++----- controls/SV-238368.rb | 23 +++++++----- controls/SV-238379.rb | 3 +- controls/SV-252704.rb | 2 +- hardened.json | 1 - hardened.threshold.yml | 4 +-- inspec-test-docker.sh | 8 ++--- kitchen.container.yml | 1 - vanilla.json | 1 - vanilla.threshold.yml | 2 +- 14 files changed, 92 insertions(+), 62 deletions(-) delete mode 100644 hardened.json delete mode 100644 vanilla.json diff --git a/container.hardened.threshold.yml b/container.hardened.threshold.yml index 098ef33..d466ffe 100644 --- a/container.hardened.threshold.yml +++ b/container.hardened.threshold.yml @@ -1,3 +1,3 @@ --- -compliance.min: 40 -error.total.max: 8 +compliance.min: 48 +error.total.max: 0 diff --git a/container.vanilla.threshold.yml b/container.vanilla.threshold.yml index c14e7c7..91a159d 100644 --- a/container.vanilla.threshold.yml +++ b/container.vanilla.threshold.yml @@ -1,3 +1,3 @@ --- -compliance.min: 30 -error.total.max: 8 +compliance.min: 33 +error.total.max: 0 diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 98f5766..6e90087 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -149,42 +149,53 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000228-GPOS-00088 ' - tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006) + tag satisfies: %w[SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006] tag gid: 'V-238214 ' tag rid: 'SV-238214r858525_rule ' tag stig_id: 'UBTU-20-010038 ' tag fix_id: 'F-41383r653816_fix ' - tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388) + tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388] tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3'] - banner_text = input('banner_text') - banner_files = [sshd_config.banner].flatten - - banner_files.each do |banner_file| - if banner_file.nil? - describe 'The SSHD Banner is not set' do - subject { banner_file.nil? } - it { should be false } + if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker') + impact 0.0 + describe 'This control is Not Applicable' do + if virtualization.system.eql?('docker') + skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled' + else + skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed' end end - if !banner_file.nil? && !banner_file.match(/none/i).nil? - describe 'The SSHD Banner is disabled' do - subject { banner_file.match(/none/i).nil? } - it { should be true } + else + banner_text = input('banner_text') + banner_files = [sshd_config.banner].flatten + + banner_files.each do |banner_file| + if banner_file.nil? + describe 'The SSHD Banner is not set' do + subject { banner_file.nil? } + it { should be false } + end end - end - if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist? - describe 'The SSHD Banner is set, but, the file does not exist' do - subject { file(banner_file).exist? } - it { should be true } + if !banner_file.nil? && !banner_file.match(/none/i).nil? + describe 'The SSHD Banner is disabled' do + subject { banner_file.match(/none/i).nil? } + it { should be true } + end end - end - next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist? + if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist? + describe 'The SSHD Banner is set, but, the file does not exist' do + subject { file(banner_file).exist? } + it { should be true } + end + end + next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist? - describe 'The SSHD Banner is set to the standard banner and has the correct text' do - clean_banner = banner_text.gsub(/[\r\n\s]/, '') - subject { file(banner_file).content.gsub(/[\r\n\s]/, '') } - it { should cmp clean_banner } + describe 'The SSHD Banner is set to the standard banner and has the correct text' do + clean_banner = banner_text.gsub(/[\r\n\s]/, '') + subject { file(banner_file).content.gsub(/[\r\n\s]/, '') } + it { should cmp clean_banner } + end end end end diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index f990ba3..56a88b5 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -37,11 +37,18 @@ tag cci: ['CCI-001464'] tag nist: ['AU-14 (1)'] - grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries + if virtualization.system.eql?('docker') + impact 0.0 + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' + end + else + grub_entries = command('grep "^\s*linux" /boot/grub/grub.cfg').stdout.strip.split("\n").entries - grub_entries.each do |entry| - describe entry do - it { should include 'audit=1' } + grub_entries.each do |entry| + describe entry do + it { should include 'audit=1' } + end end end end diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index dd45d0e..d2ad226 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -78,14 +78,21 @@ tag cci: ['CCI-000382'] tag nist: ['CM-7 b'] - ufw_status = command('ufw status').stdout.strip.lines.first - value = ufw_status.split(':')[1].strip - - describe 'UFW status' do - subject { value } - it { should cmp 'active' } - end - describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do - skip 'Status listings checks must be preformed manually' + if virtualization.system.eql?('docker') + impact 0.0 + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' + end + else + ufw_status = command('ufw status').stdout.strip.lines.first + value = ufw_status.split(':')[1].strip + + describe 'UFW status' do + subject { value } + it { should cmp 'active' } + end + describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do + skip 'Status listings checks must be preformed manually' + end end end diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 8e49e32..f0a117e 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -40,15 +40,22 @@ tag cci: ['CCI-002824'] tag nist: ['SI-16'] - options = { - assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, - } - describe.one do - describe command('dmesg | grep NX').stdout.strip do - it { should match /.+(NX \(Execute Disable\) protection: active)/ } + if virtualization.system.eql?('docker') + impact 0.0 + describe 'Control not applicable to a container' do + skip 'Control not applicable to a container' end - describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do - it { should include 'nx' } + else + options = { + assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/ + } + describe.one do + describe command('dmesg | grep NX').stdout.strip do + it { should match(/.+(NX \(Execute Disable\) protection: active)/) } + end + describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do + it { should include 'nx' } + end end end end diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index c0c31f3..b5d5117 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -50,8 +50,9 @@ its('count') { should_not eq 0 } end else + impact 0.0 describe command('which Xorg').exit_status do - skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s) + skip('This control is Not Applicable since a GUI not installed.') end end end diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index 79d7e36..aad1d9b 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -74,6 +74,6 @@ module with the following command: tag nist: ['SC-8'] describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do - its('stdout') { should be_in input('approved_wireless_interfaces') } + its('stdout.lines') { should be_in input('approved_wireless_interfaces') } end end diff --git a/hardened.json b/hardened.json deleted file mode 100644 index f70f7cd..0000000 --- a/hardened.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.005834,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.3e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":2.4e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":4.0e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.104608,"start_time":"2022-12-07T14:54:47-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.012389,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.004365,"start_time":"2022-12-07T14:54:47-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":4.1e-05,"start_time":"2022-12-07T14:54:47-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.018871,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.165249,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.001279,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.003601,"start_time":"2022-12-07T14:54:48-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.104292,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.004705,"start_time":"2022-12-07T14:54:48-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.5e-05,"start_time":"2022-12-07T14:54:48-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.9e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.2e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238214.rb:1 ","run_time":0.000737,"start_time":"2022-12-07T14:54:49-05:00","message":"Can't find file: /etc/ssh/sshd_config","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238214.rb:1"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.063386,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.046596,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.048454,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.038749,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000626,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000642,"start_time":"2022-12-07T14:54:49-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238216.rb:1 ","run_time":0.013508,"start_time":"2022-12-07T14:54:49-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\", :check=>\"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\\nwith the following command:\\n\\n$ grep -ir macs /etc/ssh/sshd_config*\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\\ncommented out, this is a finding.\\nIf conflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\\n140-2 approved ciphers.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nRestart the SSH daemon for the changes to take effect:\\n\\n$\\nsudo systemctl reload sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000250-GPOS-00093\", \"SRG-OS-000393-GPOS-00173\"], :gid=>\"V-238216 \", :rid=>\"SV-238216r860820_rule \", :stig_id=>\"UBTU-20-010043 \", :fix_id=>\"F-41385r653822_fix \", :cci=>[\"CCI-001453\", \"CCI-002421\", \"CCI-002890\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238216.rb\", :line=>1}, @__rule_id=\"SV-238216\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238216.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238216.rb:1"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238217.rb:1 ","run_time":0.008953,"start_time":"2022-12-07T14:54:49-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless.\\n\\nNonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\\n\\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\\nsecuring SSH connections.\", :check=>\"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\\nthe following command:\\n\\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\\n\\nCiphers\\naes256-ctr,aes192-ctr,aes128-ctr\\n\\nIf any ciphers other than \\\"aes256-ctr\\\",\\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\\nIf\\nconflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only implement\\nFIPS-approved algorithms.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\n\\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\\n\\nRestart the SSH daemon for the changes to\\ntake effect:\\n\\n$ sudo systemctl restart sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000394-GPOS-00174\"], :gid=>\"V-238217 \", :rid=>\"SV-238217r860821_rule \", :stig_id=>\"UBTU-20-010044 \", :fix_id=>\"F-41386r653825_fix \", :cci=>[\"CCI-000068\", \"CCI-002421\", \"CCI-003123\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238217.rb\", :line=>1}, @__rule_id=\"SV-238217\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238217.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238217.rb:1"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.2e-05,"start_time":"2022-12-07T14:54:49-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.9e-05,"start_time":"2022-12-07T14:54:50-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.3e-05,"start_time":"2022-12-07T14:54:50-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ucredit is expected to cmp == \"-1\"","run_time":0.00084,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf lcredit is expected to cmp == \"-1\"","run_time":0.000652,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dcredit is expected to cmp == \"-1\"","run_time":0.000933,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf difok is expected to cmp >= \"8\"","run_time":0.005165,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf minlen is expected to cmp >= \"15\"","run_time":0.000739,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ocredit is expected to cmp == \"-1\"","run_time":0.001004,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dictcheck is expected to cmp == \"1\"","run_time":0.000859,"start_time":"2022-12-07T14:54:50-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":8.0e-06,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.066131,"start_time":"2022-12-07T14:54:51-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":2.9e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:51-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.1e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:52-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.2e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.1e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:53-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.8e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.1e-05,"start_time":"2022-12-07T14:54:54-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":9.0e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.8e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:55-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:56-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.001563,"start_time":"2022-12-07T14:54:57-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:57-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.8e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.5e-05,"start_time":"2022-12-07T14:54:58-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.007705,"start_time":"2022-12-07T14:54:58-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.003173,"start_time":"2022-12-07T14:54:58-05:00","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":0.001283,"start_time":"2022-12-07T14:54:58-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.014109,"start_time":"2022-12-07T14:54:58-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000529,"start_time":"2022-12-07T14:54:58-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.016171,"start_time":"2022-12-07T14:54:58-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238325.rb:1 ","run_time":0.012142,"start_time":"2022-12-07T14:54:58-05:00","message":"undefined method `disable_fips?' for #\"Passwords need to be protected at all times, and encryption is the standard method for\\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\\ntext) and easily compromised.\", :check=>\"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\\n140-2 approved cryptographic hashing algorithm.\\n\\nCheck the hashing algorithm that is\\nbeing used to hash passwords with the following command:\\n\\n$ cat /etc/login.defs | grep -i\\nencrypt_method\\n\\nENCRYPT_METHOD SHA512\\n\\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\\ngreater, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to encrypt all stored passwords.\\n\\nEdit/modify the\\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\\n\\n\\nENCRYPT_METHOD SHA512\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000120-GPOS-00061 \", :gid=>\"V-238325 \", :rid=>\"SV-238325r654150_rule \", :stig_id=>\"UBTU-20-010404 \", :fix_id=>\"F-41494r654149_fix \", :cci=>[\"CCI-000803\"], :nist=>[\"IA-7\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238325.rb\", :line=>1}, @__rule_id=\"SV-238325\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238325.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238325.rb:1"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.071937,"start_time":"2022-12-07T14:54:58-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.053996,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238328.rb:1 ","run_time":0.001049,"start_time":"2022-12-07T14:54:59-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238328.rb:1"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000576,"start_time":"2022-12-07T14:54:59-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000154,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.001114,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000351,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.4e-05,"start_time":"2022-12-07T14:54:59-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000276,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.069542,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.07222,"start_time":"2022-12-07T14:54:59-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000569,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":0.000173,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.1e-05,"start_time":"2022-12-07T14:55:00-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.074016,"start_time":"2022-12-07T14:55:00-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.053534,"start_time":"2022-12-07T14:55:00-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000382,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.073799,"start_time":"2022-12-07T14:55:00-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000335,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.087098,"start_time":"2022-12-07T14:55:00-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.05107,"start_time":"2022-12-07T14:55:01-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.000202,"start_time":"2022-12-07T14:55:01-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.079208,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000257,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00026,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000257,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000355,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000366,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000794,"start_time":"2022-12-07T14:55:01-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000542,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000239,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000263,"start_time":"2022-12-07T14:55:02-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.07166,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.000869,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000406,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.063265,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.06682,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.00112,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000375,"start_time":"2022-12-07T14:55:02-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000614,"start_time":"2022-12-07T14:55:02-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000561,"start_time":"2022-12-07T14:55:02-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.06502,"start_time":"2022-12-07T14:55:03-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.10233,"start_time":"2022-12-07T14:55:03-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.099327,"start_time":"2022-12-07T14:55:03-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000198,"start_time":"2022-12-07T14:55:03-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.049521,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000577,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.00019,"start_time":"2022-12-07T14:55:03-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.4e-05,"start_time":"2022-12-07T14:55:03-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:55:03-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238363.rb:1 ","run_time":0.009804,"start_time":"2022-12-07T14:55:03-05:00","message":"undefined method `disable_fips?' for #\"Use of weak or untested encryption algorithms undermines the purposes of utilizing\\nencryption to protect data. The operating system must implement cryptographic modules\\nadhering to the higher standards approved by the federal government since this provides\\nassurance they have been tested and validated.\", :check=>\"Verify the system is configured to run in FIPS mode with the following command:\\n\\n$ grep -i 1\\n/proc/sys/crypto/fips_enabled\\n1\\n\\nIf a value of \\\"1\\\" is not returned, this is a finding.\", :fix=>\"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\\nUbuntu operating systems install.\\n\\nEnabling a FIPS mode on a pre-existing system involves a\\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\\n140-2 security policy document for instructions.\\n\\nA subscription to the \\\"Ubuntu\\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\\nenable FIPS.\"}, @refs=[], @tags={:severity=>\"high \", :gtitle=>\"SRG-OS-000396-GPOS-00176 \", :satisfies=>[\"SRG-OS-000396-GPOS-00176\", \"SRG-OS-000478-GPOS-00223\"], :gid=>\"V-238363 \", :rid=>\"SV-238363r853438_rule \", :stig_id=>\"UBTU-20-010442 \", :fix_id=>\"F-41532r654263_fix \", :cci=>[\"CCI-002450\"], :nist=>[\"SC-13 b\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238363.rb\", :line=>1}, @__rule_id=\"SV-238363\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238363.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238363.rb:1"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.801298,"start_time":"2022-12-07T14:55:04-05:00","message":"\nexpected: \n got: E3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\nE3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nA7BAA0D13C6E82C40DFC83ADE20BB6FEE275F106CBBE3868DAD81C4E6025B2AC\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n9B5212D92D073B1D5E8D672E94D1FB472F46D15AEA2EE4D131E5C6436B74B86E\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.0e-05,"start_time":"2022-12-07T14:55:04-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.3e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":2.0e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238368.rb:1 ","run_time":0.002411,"start_time":"2022-12-07T14:55:05-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238368.rb:1"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.084417,"start_time":"2022-12-07T14:55:05-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000398,"start_time":"2022-12-07T14:55:05-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000891,"start_time":"2022-12-07T14:55:05-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000624,"start_time":"2022-12-07T14:55:05-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.065597,"start_time":"2022-12-07T14:55:05-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000379,"start_time":"2022-12-07T14:55:05-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000944,"start_time":"2022-12-07T14:55:05-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:55:05-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.001189,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.00025,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":9.2e-05,"start_time":"2022-12-07T14:55:06-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":8.4e-05,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00018,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account count is expected to eq 0","run_time":0.00096,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":3.6e-05,"start_time":"2022-12-07T14:55:06-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.090737,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000613,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.083632,"start_time":"2022-12-07T14:55:06-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:55:06-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:55:07-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout is expected to be in","run_time":0.087611,"start_time":"2022-12-07T14:55:07-05:00","message":"expected `` to be in the list: `[]`","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":20.254917},"version":"5.18.14"} \ No newline at end of file diff --git a/hardened.threshold.yml b/hardened.threshold.yml index 6b5ede1..b1c2a2a 100644 --- a/hardened.threshold.yml +++ b/hardened.threshold.yml @@ -1,3 +1,3 @@ --- -compliance.min: 75 -error.total.max: 8 +compliance.min: 85 +error.total.max: 0 diff --git a/inspec-test-docker.sh b/inspec-test-docker.sh index e808925..23d7e50 100755 --- a/inspec-test-docker.sh +++ b/inspec-test-docker.sh @@ -14,10 +14,10 @@ docker run -itd --rm --name hardened-ubuntu $HARDENED_IMAGE docker ps -f name=-ubuntu echo "TEST: run InSpec against the vanilla container" -inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter json:vanilla.json progress-bar +inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter json:vanilla.json cli echo "TEST: run InSpec against the hardened container" -inspec exec . --input-file=container.inputs.yml -t docker://hardened-ubuntu --reporter json:hardened.json progress-bar +inspec exec . --input-file=container.inputs.yml -t docker://hardened-ubuntu --reporter json:hardened.json cli echo "TEST: summary of vanilla results" saf view summary -i vanilla.json @@ -26,7 +26,7 @@ echo "TEST: summary of hardened results" saf view summary -i hardened.json echo "VALIDATE: validating vanilla results passed thresholds. . ." -saf validate:threshold -i vanilla.json -F vanilla.threshold.yml +saf validate:threshold -i vanilla.json -F container.vanilla.threshold.yml echo "VALIDATE: validating hardened results passed thresholds. . ." -saf validate:threshold -i hardened.json -F hardened.threshold.yml \ No newline at end of file +saf validate:threshold -i hardened.json -F container.hardened.threshold.yml \ No newline at end of file diff --git a/kitchen.container.yml b/kitchen.container.yml index ef08f8d..51188c4 100644 --- a/kitchen.container.yml +++ b/kitchen.container.yml @@ -8,7 +8,6 @@ provisioner: name: dummy verifier: - sudo: true input_files: - container.inputs.yml reporter: diff --git a/vanilla.json b/vanilla.json deleted file mode 100644 index 4857c6e..0000000 --- a/vanilla.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"790ca193566f32b338bd5838db799358bbbbea2c1dabc843bc17f7ddfee74682","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.004252,"start_time":"2022-12-07T14:54:19-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.0e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":3.2e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":2.5e-05,"start_time":"2022-12-07T14:54:19-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.058296,"start_time":"2022-12-07T14:54:19-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:20-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.015838,"start_time":"2022-12-07T14:54:20-05:00","message":"expected: >= \"1\"\n got: \"0\"","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.00634,"start_time":"2022-12-07T14:54:20-05:00","message":"\nexpected it to be <= 60\n got: 99999\n\n(compared using `cmp` matcher)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":2.0e-05,"start_time":"2022-12-07T14:54:20-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.010321,"start_time":"2022-12-07T14:54:20-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.131342,"start_time":"2022-12-07T14:54:20-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.010896,"start_time":"2022-12-07T14:54:20-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.001629,"start_time":"2022-12-07T14:54:21-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.075293,"start_time":"2022-12-07T14:54:21-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.001158,"start_time":"2022-12-07T14:54:21-05:00","message":"\nexpected: \"077\"\n got: \"022\"\n\n(compared using ==)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.2e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.7e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.9e-05,"start_time":"2022-12-07T14:54:21-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238214.rb:1 ","run_time":0.000621,"start_time":"2022-12-07T14:54:21-05:00","message":"Can't find file: /etc/ssh/sshd_config","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238214.rb:1"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.10416,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.061976,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.045854,"start_time":"2022-12-07T14:54:21-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.041146,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.001471,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000973,"start_time":"2022-12-07T14:54:22-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238216.rb:1 ","run_time":0.011695,"start_time":"2022-12-07T14:54:22-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\", :check=>\"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\\nwith the following command:\\n\\n$ grep -ir macs /etc/ssh/sshd_config*\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\\ncommented out, this is a finding.\\nIf conflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\\n140-2 approved ciphers.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\nMACs\\nhmac-sha2-512,hmac-sha2-256\\n\\nRestart the SSH daemon for the changes to take effect:\\n\\n$\\nsudo systemctl reload sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000250-GPOS-00093\", \"SRG-OS-000393-GPOS-00173\"], :gid=>\"V-238216 \", :rid=>\"SV-238216r860820_rule \", :stig_id=>\"UBTU-20-010043 \", :fix_id=>\"F-41385r653822_fix \", :cci=>[\"CCI-001453\", \"CCI-002421\", \"CCI-002890\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238216.rb\", :line=>1}, @__rule_id=\"SV-238216\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238216.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238216.rb:1"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w( aes256-ctr aes192-ctr aes128-ctr ) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238217.rb:1 ","run_time":0.009444,"start_time":"2022-12-07T14:54:22-05:00","message":"undefined method `disable_fips?' for #\"Without cryptographic integrity protections, information can be altered by unauthorized\\nusers without detection.\\n\\nRemote access (e.g., RDP) is access to DoD nonpublic information\\nsystems by an authorized user (or an information system) communicating through an external,\\nnon-organization-controlled network. Remote access methods include, for example,\\ndial-up, broadband, and wireless.\\n\\nNonlocal maintenance and diagnostic activities are\\nthose activities conducted by individuals communicating through a network, either an\\nexternal network (e.g., the internet) or an internal network.\\n\\nLocal maintenance and\\ndiagnostic activities are those activities carried out by individuals physically present\\nat the information system or information system component and not communicating across a\\nnetwork connection.\\n\\nEncrypting information for transmission protects information from\\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\\nprotect information integrity include, for example, cryptographic hash functions which\\nhave common application in digital signatures, checksums, and message authentication\\ncodes.\\n\\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\\nsecuring SSH connections.\", :check=>\"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\\nthe following command:\\n\\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\\n\\nCiphers\\naes256-ctr,aes192-ctr,aes128-ctr\\n\\nIf any ciphers other than \\\"aes256-ctr\\\",\\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\\nIf\\nconflicting results are returned, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to allow the SSH daemon to only implement\\nFIPS-approved algorithms.\\n\\nAdd the following line (or modify the line to have the required\\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\\ndifferent location if using a version of SSH that is provided by a third-party vendor):\\n\\n\\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\\n\\nRestart the SSH daemon for the changes to\\ntake effect:\\n\\n$ sudo systemctl restart sshd.service\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000424-GPOS-00188 \", :satisfies=>[\"SRG-OS-000424-GPOS-00188\", \"SRG-OS-000033-GPOS-00014\", \"SRG-OS-000394-GPOS-00174\"], :gid=>\"V-238217 \", :rid=>\"SV-238217r860821_rule \", :stig_id=>\"UBTU-20-010044 \", :fix_id=>\"F-41386r653825_fix \", :cci=>[\"CCI-000068\", \"CCI-002421\", \"CCI-003123\"], :nist=>[\"AC-17 (2)\", \"SC-8 (1)\", \"MA-4 (6)\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238217.rb\", :line=>1}, @__rule_id=\"SV-238217\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238217.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238217.rb:1"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.4e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":3.5e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.8e-05,"start_time":"2022-12-07T14:54:22-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.006084,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001141,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001162,"start_time":"2022-12-07T14:54:22-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001027,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000722,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000941,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.003211,"start_time":"2022-12-07T14:54:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.9e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.08109,"start_time":"2022-12-07T14:54:23-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":2.7e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.2e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.6e-05,"start_time":"2022-12-07T14:54:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.2e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.3e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.7e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.3e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.5e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.7e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.4e-05,"start_time":"2022-12-07T14:54:26-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.7e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.9e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:27-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.4e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":0.000304,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:28-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.7e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.3e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.6e-05,"start_time":"2022-12-07T14:54:29-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.000488,"start_time":"2022-12-07T14:54:29-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.5e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.8e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.8e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.1e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.4e-05,"start_time":"2022-12-07T14:54:30-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.001096,"start_time":"2022-12-07T14:54:30-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.003115,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to include [\"hard\", \"maxlogins\", \"10\"], but it does not respond to `include?`","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000155,"start_time":"2022-12-07T14:54:31-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.003262,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":0.000165,"start_time":"2022-12-07T14:54:31-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.004608,"start_time":"2022-12-07T14:54:31-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe 'Control not applicable' do\n skip 'Control not applicable'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238325.rb:1 ","run_time":0.004259,"start_time":"2022-12-07T14:54:31-05:00","message":"undefined method `disable_fips?' for #\"Passwords need to be protected at all times, and encryption is the standard method for\\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\\ntext) and easily compromised.\", :check=>\"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\\n140-2 approved cryptographic hashing algorithm.\\n\\nCheck the hashing algorithm that is\\nbeing used to hash passwords with the following command:\\n\\n$ cat /etc/login.defs | grep -i\\nencrypt_method\\n\\nENCRYPT_METHOD SHA512\\n\\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\\ngreater, this is a finding.\", :fix=>\"Configure the Ubuntu operating system to encrypt all stored passwords.\\n\\nEdit/modify the\\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\\n\\n\\nENCRYPT_METHOD SHA512\"}, @refs=[], @tags={:severity=>\"medium \", :gtitle=>\"SRG-OS-000120-GPOS-00061 \", :gid=>\"V-238325 \", :rid=>\"SV-238325r654150_rule \", :stig_id=>\"UBTU-20-010404 \", :fix_id=>\"F-41494r654149_fix \", :cci=>[\"CCI-000803\"], :nist=>[\"IA-7\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238325.rb\", :line=>1}, @__rule_id=\"SV-238325\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238325.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238325.rb:1"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.086291,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.068081,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238328.rb:1 ","run_time":0.001869,"start_time":"2022-12-07T14:54:31-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238328.rb:1"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000979,"start_time":"2022-12-07T14:54:31-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000305,"start_time":"2022-12-07T14:54:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.001289,"start_time":"2022-12-07T14:54:31-05:00","message":"\nexpected it to be > \"0\"\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.001169,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected it to be <= 35\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.8e-05,"start_time":"2022-12-07T14:54:32-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.001558,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.078525,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.05643,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000697,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":0.000372,"start_time":"2022-12-07T14:54:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.2e-05,"start_time":"2022-12-07T14:54:32-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.09734,"start_time":"2022-12-07T14:54:32-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.041653,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000594,"start_time":"2022-12-07T14:54:32-05:00","message":"\nexpected: 0\n got: 9\n\n(compared using ==)\n","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.084576,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000562,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.102363,"start_time":"2022-12-07T14:54:33-05:00","message":"expected `Directory /var/log.more_permissive_than?(\"0750\")` to be falsey, got true","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.071662,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.000831,"start_time":"2022-12-07T14:54:33-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.097681,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000417,"start_time":"2022-12-07T14:54:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000935,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000765,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000468,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000605,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000804,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000497,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000502,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000401,"start_time":"2022-12-07T14:54:34-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.088083,"start_time":"2022-12-07T14:54:34-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.003143,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000273,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.077424,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.055247,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000786,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000308,"start_time":"2022-12-07T14:54:35-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000293,"start_time":"2022-12-07T14:54:35-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000891,"start_time":"2022-12-07T14:54:35-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.160071,"start_time":"2022-12-07T14:54:35-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.148687,"start_time":"2022-12-07T14:54:35-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.084282,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000111,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.056505,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000638,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.00022,"start_time":"2022-12-07T14:54:36-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":2.3e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n disable_fips = input('disable_fips')\n\n if disable_fips?\n impact 0.0\n describe \"Control not applicable\" do\n skip \"Control not applicable\"\n end\n elsif virtualization.system.eql?('docker')\n describe \"Manual test\" do\n skip \"This control must be reviewed manually\"\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match /\\A1\\Z/ }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238363.rb:1 ","run_time":0.007205,"start_time":"2022-12-07T14:54:36-05:00","message":"undefined method `disable_fips?' for #\"Use of weak or untested encryption algorithms undermines the purposes of utilizing\\nencryption to protect data. The operating system must implement cryptographic modules\\nadhering to the higher standards approved by the federal government since this provides\\nassurance they have been tested and validated.\", :check=>\"Verify the system is configured to run in FIPS mode with the following command:\\n\\n$ grep -i 1\\n/proc/sys/crypto/fips_enabled\\n1\\n\\nIf a value of \\\"1\\\" is not returned, this is a finding.\", :fix=>\"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\\nUbuntu operating systems install.\\n\\nEnabling a FIPS mode on a pre-existing system involves a\\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\\n140-2 security policy document for instructions.\\n\\nA subscription to the \\\"Ubuntu\\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\\nenable FIPS.\"}, @refs=[], @tags={:severity=>\"high \", :gtitle=>\"SRG-OS-000396-GPOS-00176 \", :satisfies=>[\"SRG-OS-000396-GPOS-00176\", \"SRG-OS-000478-GPOS-00223\"], :gid=>\"V-238363 \", :rid=>\"SV-238363r853438_rule \", :stig_id=>\"UBTU-20-010442 \", :fix_id=>\"F-41532r654263_fix \", :cci=>[\"CCI-002450\"], :nist=>[\"SC-13 b\"]}, @resource_dsl=#, @__code=nil, @__block=#, @__source_location={:ref=>\"./controls/SV-238363.rb\", :line=>1}, @__rule_id=\"SV-238363\", @__profile_id=\"Canonical_Ubuntu_20-04_LTS_STIG\", @__checks=[[\"describe\", [\"Control Source Code Error\"], #]], @__skip_rule={}, @__merge_count=0, @__merge_changes=[], @__skip_only_if_eval=false, @__file=\"./controls/SV-238363.rb\", @__group_title=nil>","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238363.rb:1"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.08347,"start_time":"2022-12-07T14:54:36-05:00","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.4e-05,"start_time":"2022-12-07T14:54:36-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":2.3e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":1.5e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Control Source Code Error ./controls/SV-238368.rb:1 ","run_time":0.001713,"start_time":"2022-12-07T14:54:37-05:00","message":"undefined method `split' for nil:NilClass","exception":"RuntimeError","backtrace":["/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/rule.rb:61:in `block (2 levels) in initialize'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `instance_exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:263:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:624:in `run_around_example_hooks_for'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/hooks.rb:486:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:468:in `with_around_example_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example.rb:259:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:646:in `block in run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:642:in `run_examples'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:607:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `block in run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/example_group.rb:608:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `map'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/configuration.rb:2068:in `with_suite_hooks'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:116:in `block in run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/reporter.rb:74:in `report'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/rspec-core-3.11.0/lib/rspec/core/runner.rb:115:in `run_specs'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner_rspec.rb:97:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:183:in `run_tests'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/runner.rb:154:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/cli.rb:366:in `exec'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-core-5.18.14/lib/inspec/base_cli.rb:35:in `start'","/Users/alippold/.rvm/gems/ruby-3.0.4/gems/inspec-bin-5.18.14/bin/inspec:11:in `'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `load'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/inspec:25:in `
'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `eval'","/Users/alippold/.rvm/gems/ruby-3.0.4/bin/ruby_executable_hooks:22:in `
'"],"resource_class":"Object","resource_params":"[]","resource_id":"./controls/SV-238368.rb:1"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.113521,"start_time":"2022-12-07T14:54:37-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000297,"start_time":"2022-12-07T14:54:37-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000794,"start_time":"2022-12-07T14:54:37-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.007542,"start_time":"2022-12-07T14:54:37-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.087498,"start_time":"2022-12-07T14:54:37-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000972,"start_time":"2022-12-07T14:54:37-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.00133,"start_time":"2022-12-07T14:54:37-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.9e-05,"start_time":"2022-12-07T14:54:37-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.001391,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.002503,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.001172,"start_time":"2022-12-07T14:54:38-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.001242,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.00013,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /bin/wall is expected not to be more permissive than \"0755\"","run_time":0.086797,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/wall\"]","resource_id":"/bin/wall"},{"status":"passed","code_desc":"File /bin/chage is expected not to be more permissive than \"0755\"","run_time":0.054039,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/chage\"]","resource_id":"/bin/chage"},{"status":"passed","code_desc":"File /bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.058401,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/bin/expiry\"]","resource_id":"/bin/expiry"},{"status":"passed","code_desc":"File /sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.068712,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/sbin/pam_extrausers_chkpwd\"]","resource_id":"/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.071113,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/sbin/unix_chkpwd\"]","resource_id":"/sbin/unix_chkpwd"},{"status":"passed","code_desc":"File /usr/bin/wall is expected not to be more permissive than \"0755\"","run_time":0.05648,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/wall\"]","resource_id":"/usr/bin/wall"},{"status":"passed","code_desc":"File /usr/bin/chage is expected not to be more permissive than \"0755\"","run_time":0.049994,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/chage\"]","resource_id":"/usr/bin/chage"},{"status":"passed","code_desc":"File /usr/bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.069141,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/bin/expiry\"]","resource_id":"/usr/bin/expiry"},{"status":"passed","code_desc":"File /usr/sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.054755,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/pam_extrausers_chkpwd\"]","resource_id":"/usr/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /usr/sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.049479,"start_time":"2022-12-07T14:54:38-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/unix_chkpwd\"]","resource_id":"/usr/sbin/unix_chkpwd"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.9e-05,"start_time":"2022-12-07T14:54:39-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.085026,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.00073,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.081518,"start_time":"2022-12-07T14:54:39-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-05,"start_time":"2022-12-07T14:54:39-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":0.00026,"start_time":"2022-12-07T14:54:39-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout is expected to be in","run_time":0.089551,"start_time":"2022-12-07T14:54:39-05:00","message":"expected `` to be in the list: `[]`","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":20.41749},"version":"5.18.14"} \ No newline at end of file diff --git a/vanilla.threshold.yml b/vanilla.threshold.yml index 8b7b120..5996b0e 100644 --- a/vanilla.threshold.yml +++ b/vanilla.threshold.yml @@ -1,3 +1,3 @@ --- compliance.min: 5 -error.total.max: 8 +error.total.max: 0 From 2909a915f282700c1a4e7883012bc462a66fa74c Mon Sep 17 00:00:00 2001 From: aaronlippold Date: Thu, 8 Dec 2022 21:41:18 +0000 Subject: [PATCH 088/100] Updating profile.json in the repository --- profile.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/profile.json b/profile.json index 5342bf8..4af5a9c 100644 --- a/profile.json +++ b/profile.json @@ -471,7 +471,7 @@ "check": "Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding.", "fix": "Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update" }, - "impact": 0.7, + "impact": 0, "refs": [], "tags": { "severity": "high ", @@ -487,7 +487,7 @@ "CM-6 b" ] }, - "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238379.rb", "line": 1 @@ -814,7 +814,7 @@ "SC-8" ] }, - "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", + "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", "source_location": { "ref": "./controls/SV-252704.rb", "line": 1 @@ -3210,7 +3210,7 @@ "check": "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding.", "fix": "Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd" }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "severity": "medium ", @@ -3238,7 +3238,7 @@ "AC-8 c 3" ] }, - "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\nend\n", + "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w[SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006]\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238214.rb", "line": 1 @@ -3820,7 +3820,7 @@ "SI-16" ] }, - "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match /.+(NX \\(Execute Disable\\) protection: active)/ }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\nend\n", + "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238368.rb", "line": 1 @@ -4383,7 +4383,7 @@ "AU-14 (1)" ] }, - "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\nend\n", + "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238299.rb", "line": 1 @@ -5274,7 +5274,7 @@ "CM-7 b" ] }, - "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238328.rb", "line": 1 @@ -6862,7 +6862,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "157f0c4d0e7c7d7e280aa4923b3e24c29ff1c61320f1fed00829180aadc7fdaf", + "sha256": "2bfd33126409b4b9ff0d79f720b1e814eaa7c6005f22e52cdf1d69d7897d93f5", "status_message": "", "status": "loaded", "generator": { From bb1240d778686c562035a30fc110b46554f25bce Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 20:22:04 -0500 Subject: [PATCH 089/100] added suggested fix to ansible, ran cookstyle -a. added fips awareness for NA conditions, small style fixes Signed-off-by: Aaron Lippold --- controls/SV-238196.rb | 6 ++---- controls/SV-238197.rb | 3 ++- controls/SV-238199.rb | 1 + controls/SV-238201.rb | 9 +++++++-- controls/SV-238210.rb | 5 +++++ controls/SV-238214.rb | 4 ++-- controls/SV-238216.rb | 6 +++--- controls/SV-238217.rb | 6 +++--- controls/SV-238229.rb | 5 +++++ controls/SV-238233.rb | 5 +++++ controls/SV-238235.rb | 4 ++-- controls/SV-238237.rb | 2 +- controls/SV-238244.rb | 2 +- controls/SV-238329.rb | 2 +- controls/SV-238344.rb | 6 +++--- controls/SV-238345.rb | 6 +++--- controls/SV-238346.rb | 6 +++--- controls/SV-238357.rb | 2 +- controls/SV-238359.rb | 2 +- controls/SV-238363.rb | 2 +- controls/SV-238368.rb | 2 +- controls/SV-238370.rb | 4 ++-- controls/SV-238373.rb | 4 ++-- ec2.inputs.yml | 1 + inspec.yml | 5 +++++ .../ansible/roles/stig-hardening/tasks/common-sysctl.yml | 2 +- 26 files changed, 64 insertions(+), 38 deletions(-) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index 65e98ae..7d8e9eb 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -51,9 +51,7 @@ tag cci: ['CCI-000016'] tag nist: ['AC-2 (2)'] - temporary_accounts = input('temporary_accounts') - - if temporary_accounts.empty? + if input('temporary_accounts').empty? describe 'Temporary accounts' do subject { temporary_accounts } it { should be_empty } @@ -61,7 +59,7 @@ else temporary_accounts.each do |acct| describe command("chage -l #{acct} | grep 'Account expires'") do - its('stdout.strip') { should_not match /:\s*never/ } + its('stdout.strip') { should_not match(/:\s*never/) } end end end diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index fbd6302..d9c54f3 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -96,10 +96,11 @@ tag nist: ['AC-8 a'] xorg_status = command('which Xorg').exit_status + if xorg_status == 0 describe 'banner-message-enable must be set to true' do subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') } - its('stdout') { should match /(banner-message-enable).+=.+(true)/ } + its('stdout') { should match(/(banner-message-enable).+=.+(true)/) } end else describe command('which Xorg').exit_status do diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index 3d6875a..6e39025 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -53,6 +53,7 @@ tag nist: ['AC-11 b', 'AC-11 a'] xorg_status = command('which Xorg').exit_status + if xorg_status == 0 describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do its('stdout') { should cmp 'true' } diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index 3f2a6a8..21219b2 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -32,8 +32,13 @@ if virtualization.system.eql?('docker') impact 0.0 - describe 'Control not applicable to a container' do - skip 'Control not applicable to a container' + describe 'This control is Not Applicable inside a container' do + skip 'This control is Not Applicable inside a container' + end + elsif input('pki_disabled') + impact 0.0 + describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do + skip 'This system is not using PKI for authentication so the controls is Not Applicable.' end else config_file = '/etc/pam_pkcs11/pam_pkcs11.conf' diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 0fff82e..24591b4 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -74,6 +74,11 @@ describe 'Control not applicable to a container' do skip 'Control not applicable to a container' end + elsif input('pki_disabled') + impact 0.0 + describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do + skip 'This system is not using PKI for authentication so the controls is Not Applicable.' + end else describe package('libpam-pkcs11') do it { should be_installed } diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 6e90087..0db2b5b 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -149,12 +149,12 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000228-GPOS-00088 ' - tag satisfies: %w[SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006] + tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006) tag gid: 'V-238214 ' tag rid: 'SV-238214r858525_rule ' tag stig_id: 'UBTU-20-010038 ' tag fix_id: 'F-41383r653816_fix ' - tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388] + tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388) tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3'] if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker') diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 8a45817..71528ba 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -54,12 +54,12 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173] + tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173) tag gid: 'V-238216 ' tag rid: 'SV-238216r860820_rule ' tag stig_id: 'UBTU-20-010043 ' tag fix_id: 'F-41385r653822_fix ' - tag cci: %w[CCI-001453 CCI-002421 CCI-002890] + tag cci: %w(CCI-001453 CCI-002421 CCI-002890) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] if input('disable_fips') @@ -77,7 +77,7 @@ @macs_array = @macs_array.first.split(',') unless @macs_array.nil? describe @macs_array do - it { should be_in %w[hmac-sha2-256 hmac-sha2-512] } + it { should be_in %w(hmac-sha2-256 hmac-sha2-512) } end end end diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index f9f6ab7..6f15df9 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -60,12 +60,12 @@ impact 0.5 tag severity: 'medium ' tag gtitle: 'SRG-OS-000424-GPOS-00188 ' - tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174] + tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174) tag gid: 'V-238217 ' tag rid: 'SV-238217r860821_rule ' tag stig_id: 'UBTU-20-010044 ' tag fix_id: 'F-41386r653825_fix ' - tag cci: %w[CCI-000068 CCI-002421 CCI-003123] + tag cci: %w(CCI-000068 CCI-002421 CCI-003123) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] if input('disable_fips') @@ -83,7 +83,7 @@ @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil? describe @ciphers_array do - it { should be_in %w[aes256-ctr aes192-ctr aes128-ctr] } + it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) } end end end diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index 5eca649..c13768a 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -70,6 +70,11 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs describe 'Control not applicable to a container' do skip 'Control not applicable to a container' end + elsif input('pki_disabled') + impact 0.0 + describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do + skip 'This system is not using PKI for authentication so the controls is Not Applicable.' + end else config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index fc0f1ad..8d945a4 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -45,6 +45,11 @@ describe 'Control not applicable to a container' do skip 'Control not applicable to a container' end + elsif input('pki_disabled') + impact 0.0 + describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do + skip 'This system is not using PKI for authentication so the controls is Not Applicable.' + end else config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist? if config_file_exists diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index c16a5ea..86cd624 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -83,8 +83,8 @@ describe command('grep pam_tally /etc/pam.d/common-auth') do its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/ } - its('stdout.strip') { should_not match /^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/ } + its('stdout.strip') { should match(/^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3($|\s+.*$)/) } + its('stdout.strip') { should_not match(/^\s*auth\s+required\s+pam_tally2.so\s+.*onerr=fail\s+deny=3\s+.*unlock_time.*$/) } end end end diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index a984c61..43937c9 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -43,7 +43,7 @@ describe command('grep pam_faildelay /etc/pam.d/common-auth') do its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/ } + its('stdout.strip') { should match(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=([4-9][\d]{6,}|[1-9][\d]{7,}).*$/) } end file('/etc/pam.d/common-auth').content.to_s.scan(/^\s*auth\s+required\s+pam_faildelay.so\s+.*delay=(\d+).*$/).flatten.each do |entry| diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index 19d73f6..8b3e694 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -63,7 +63,7 @@ else describe auditd_conf do its('disk_full_action') { should_not be_empty } - its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i } + its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) } end end end diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 346a80c..701dd43 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -53,6 +53,6 @@ end end describe command('passwd -S root').stdout.strip do - it { should match /^root\s+L\s+.*$/ } + it { should match(/^root\s+L\s+.*$/) } end end diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index cc68143..4b083ea 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -68,8 +68,8 @@ else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755" do - subject { valid_system_commands } - its('count') { should eq 0 } - end + subject { valid_system_commands } + its('count') { should eq 0 } + end end end diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index 67aa5bf..b6bedbf 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -67,8 +67,8 @@ else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root" do - subject { valid_system_commands } - its('count') { should eq 0 } - end + subject { valid_system_commands } + its('count') { should eq 0 } + end end end diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 51fb94a..8ad1ade 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -68,8 +68,8 @@ else describe "Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root" do - subject { valid_system_commands } - its('count') { should eq 0 } - end + subject { valid_system_commands } + its('count') { should eq 0 } + end end end diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index 1862559..d75e7d6 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -56,7 +56,7 @@ if chrony_file.exist? describe chrony_file do subject { chrony_file } - its('content') { should match /^makestep 1 -1/ } + its('content') { should match(/^makestep 1 -1/) } end else describe(chrony_file_path + ' exists') do diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index bab5d01..040819e 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -68,7 +68,7 @@ apt_allowunauth.each do |line| describe "#{line} contains AllowUnauthenctication" do subject { line } - it { should_not match /.*false.*/ } + it { should_not match(/.*false.*/) } end end end diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index 96cf6c8..bba9dc7 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -30,7 +30,7 @@ impact 0.7 tag severity: 'high ' tag gtitle: 'SRG-OS-000396-GPOS-00176 ' - tag satisfies: %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223] + tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223) tag gid: 'V-238363 ' tag rid: 'SV-238363r853438_rule ' tag stig_id: 'UBTU-20-010442 ' diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index f0a117e..6da4d16 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -47,7 +47,7 @@ end else options = { - assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/ + assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, } describe.one do describe command('dmesg | grep NX').stdout.strip do diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index d1da2f9..58734b2 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -43,7 +43,7 @@ end describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do - it { should match /^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/ } - it { should match /^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/ } + it { should match(/^\s*([^\s]*::Remove-Unused-Dependencies)\s*\"true\"\s*;$/) } + it { should match(/^\s*([^\s]*::Remove-Unused-Kernel-Packages)\s*\"true\"\s*;$/) } end end diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 82cb0ff..3a64eda 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -47,8 +47,8 @@ else describe command('grep pam_lastlog /etc/pam.d/login') do its('exit_status') { should eq 0 } - its('stdout.strip') { should match /^\s*session\s+required\s+pam_lastlog.so/ } - its('stdout.strip') { should_not match /^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/ } + its('stdout.strip') { should match(/^\s*session\s+required\s+pam_lastlog.so/) } + its('stdout.strip') { should_not match(/^\s*session\s+required\s+pam_lastlog.so[\s\w\d\=]+.*silent/) } end end end diff --git a/ec2.inputs.yml b/ec2.inputs.yml index 0214a81..9e3af21 100644 --- a/ec2.inputs.yml +++ b/ec2.inputs.yml @@ -1,2 +1,3 @@ is_system_networked: true disable_fips: false +pki_disabled: true diff --git a/inspec.yml b/inspec.yml index 35c71b3..462cf28 100644 --- a/inspec.yml +++ b/inspec.yml @@ -158,4 +158,9 @@ inputs: - name: disable_fips description: Is fips disabled or enabled due to FIPS 140 image type: boolean + value: false + + - name: pki_disabled + description: Is PKI authentication used for this system + type: boolean value: false \ No newline at end of file diff --git a/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml b/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml index ca17084..94a0ba8 100644 --- a/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml +++ b/spec/ansible/roles/stig-hardening/tasks/common-sysctl.yml @@ -41,7 +41,7 @@ - name: kernel.panic_on_oops value: 1 when: - - install_protect_kernel_defaults + - install_protect_kernel_defaults | bool - name: "sysctl: fs.suid_dumpable" blockinfile: From adb6a4780ad0a425a03387b13af80f878f6628d4 Mon Sep 17 00:00:00 2001 From: aaronlippold Date: Fri, 9 Dec 2022 01:23:19 +0000 Subject: [PATCH 090/100] Updating profile.json in the repository --- profile.json | 55 +++++++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/profile.json b/profile.json index 4af5a9c..1d7363e 100644 --- a/profile.json +++ b/profile.json @@ -194,6 +194,13 @@ "type": "Boolean", "value": false } + }, + { + "name": "pki_disabled", + "options": { + "type": "Boolean", + "value": false + } } ], "controls": [ @@ -385,7 +392,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174]\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w[CCI-000068 CCI-002421 CCI-003123]\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w[aes256-ctr aes192-ctr aes128-ctr] }\n end\n end\nend\n", + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238217.rb", "line": 1 @@ -425,7 +432,7 @@ "MA-4 (6)" ] }, - "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w[SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173]\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w[CCI-001453 CCI-002421 CCI-002890]\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w[hmac-sha2-256 hmac-sha2-512] }\n end\n end\nend\n", + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238216.rb", "line": 1 @@ -456,7 +463,7 @@ "IA-2 (5)" ] }, - "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match /^root\\s+L\\s+.*$/ }\n end\nend\n", + "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n", "source_location": { "ref": "./controls/SV-238329.rb", "line": 1 @@ -617,7 +624,7 @@ "IA-5 (2) (d)" ] }, - "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238233.rb", "line": 1 @@ -654,7 +661,7 @@ "AC-11 a" ] }, - "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238199.rb", "line": 1 @@ -845,7 +852,7 @@ "AC-2 (2)" ] }, - "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n temporary_accounts = input('temporary_accounts')\n\n if temporary_accounts.empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match /:\\s*never/ }\n end\n end\n end\nend\n", + "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238196.rb", "line": 1 @@ -876,7 +883,7 @@ "AU-9" ] }, - "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238344.rb", "line": 1 @@ -1160,7 +1167,7 @@ "CM-6 b" ] }, - "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/ }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", + "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238237.rb", "line": 1 @@ -1373,7 +1380,7 @@ "AU-5 b" ] }, - "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp /(?:SYSLOG|SINGLE|HALT)/i }\n end\n end\nend\n", + "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238244.rb", "line": 1 @@ -2243,7 +2250,7 @@ "AC-8 a" ] }, - "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match /(banner-message-enable).+=.+(true)/ }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238197.rb", "line": 1 @@ -2735,7 +2742,7 @@ "AU-8 (1) (b)" ] }, - "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match /^makestep 1 -1/ }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238357.rb", "line": 1 @@ -3020,7 +3027,7 @@ "IA-5 (2) (a) (2)" ] }, - "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238201.rb", "line": 1 @@ -3133,7 +3140,7 @@ "SC-13 b" ] }, - "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w[SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223]\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238363.rb", "line": 1 @@ -3238,7 +3245,7 @@ "AC-8 c 3" ] }, - "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w[SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006]\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w[CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388]\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", + "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238214.rb", "line": 1 @@ -3491,7 +3498,7 @@ "SI-2 (6)" ] }, - "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/ }\n it { should match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/ }\n end\nend\n", + "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n", "source_location": { "ref": "./controls/SV-238370.rb", "line": 1 @@ -3820,7 +3827,7 @@ "SI-16" ] }, - "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", + "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238368.rb", "line": 1 @@ -3913,7 +3920,7 @@ "IA-5 (2) (b) (1)" ] }, - "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238229.rb", "line": 1 @@ -4321,7 +4328,7 @@ "AC-7 b" ] }, - "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/ }\n its('stdout.strip') { should_not match /^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/ }\n end\n end\nend\n", + "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238235.rb", "line": 1 @@ -4617,7 +4624,7 @@ "IA-2 (4)" ] }, - "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238210.rb", "line": 1 @@ -4834,7 +4841,7 @@ "AU-9" ] }, - "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238345.rb", "line": 1 @@ -5020,7 +5027,7 @@ "AU-9" ] }, - "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238346.rb", "line": 1 @@ -5429,7 +5436,7 @@ "CM-5 (3)" ] }, - "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match /.*false.*/ }\n end\n end\n end\nend\n", + "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238359.rb", "line": 1 @@ -5621,7 +5628,7 @@ "AC-9" ] }, - "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match /^\\s*session\\s+required\\s+pam_lastlog.so/ }\n its('stdout.strip') { should_not match /^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/ }\n end\n end\nend\n", + "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238373.rb", "line": 1 @@ -6862,7 +6869,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "2bfd33126409b4b9ff0d79f720b1e814eaa7c6005f22e52cdf1d69d7897d93f5", + "sha256": "fb3e7deae766ca26501097356f301b826f94097b8f2ab92d930f78b730eba8b1", "status_message": "", "status": "loaded", "generator": { From 6a7450e1b397179e4c0dda195a274f9baae903fd Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 8 Dec 2022 20:52:57 -0500 Subject: [PATCH 091/100] fixed missing input defn Signed-off-by: Aaron Lippold --- controls/SV-238196.rb | 2 +- hardened.json | 1 + vanilla.json | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 hardened.json create mode 100644 vanilla.json diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index 7d8e9eb..b53f2fd 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -53,7 +53,7 @@ if input('temporary_accounts').empty? describe 'Temporary accounts' do - subject { temporary_accounts } + subject { input('temporary_accounts') } it { should be_empty } end else diff --git a/hardened.json b/hardened.json new file mode 100644 index 0000000..5f3a1c8 --- /dev/null +++ b/hardened.json @@ -0,0 +1 @@ +{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}},{"name":"pki_disabled","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.003399,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":5.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":1.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.078421,"start_time":"2022-12-08T20:52:31-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable inside a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"This control is Not Applicable inside a container","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable inside a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.00314,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.00075,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":4.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.003305,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.084946,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.000174,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.000357,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.045523,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.000687,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"This control is Not Applicable in a container and/or the SSHD server is not enabled","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.039205,"start_time":"2022-12-08T20:52:31-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.044731,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.038751,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.000473,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000338,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000294,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":1.2e-05,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":9.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ucredit is expected to cmp == \"-1\"","run_time":0.000281,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf lcredit is expected to cmp == \"-1\"","run_time":0.000236,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dcredit is expected to cmp == \"-1\"","run_time":8.5e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf difok is expected to cmp >= \"8\"","run_time":0.000115,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf minlen is expected to cmp >= \"15\"","run_time":0.000163,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ocredit is expected to cmp == \"-1\"","run_time":6.3e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dictcheck is expected to cmp == \"1\"","run_time":5.6e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.041935,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":8.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.00017,"start_time":"2022-12-08T20:52:32-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.000838,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.000255,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":6.3e-05,"start_time":"2022-12-08T20:52:32-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002619,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":4.0e-05,"start_time":"2022-12-08T20:52:32-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002258,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.037073,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.041351,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000429,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000214,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.000294,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000202,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000126,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.044519,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.042515,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000163,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":6.2e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.039518,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.040822,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000491,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.034972,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000229,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.039778,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.044266,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.00028,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.042812,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.00016,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000106,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000234,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000101,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000204,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000197,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.040318,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.00026,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000184,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.037928,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.03937,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000262,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000173,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000183,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000134,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.039625,"start_time":"2022-12-08T20:52:32-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.07531,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.082001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000189,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.046222,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000299,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.000272,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.715866,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: \n got: E3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\nE3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nA7BAA0D13C6E82C40DFC83ADE20BB6FEE275F106CBBE3868DAD81C4E6025B2AC\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n9B5212D92D073B1D5E8D672E94D1FB472F46D15AEA2EE4D131E5C6436B74B86E\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.0e-05,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.047579,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000287,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000805,"start_time":"2022-12-08T20:52:33-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000391,"start_time":"2022-12-08T20:52:33-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.038009,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000211,"start_time":"2022-12-08T20:52:33-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000183,"start_time":"2022-12-08T20:52:33-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.000263,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000173,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000174,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000129,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000106,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"1","skip_message":"This control is Not Applicable since a GUI not installed.","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.042606,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000285,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.043727,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":9.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout.lines is expected to be in","run_time":0.041532,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":2.124244},"version":"5.18.14"} \ No newline at end of file diff --git a/vanilla.json b/vanilla.json new file mode 100644 index 0000000..f5c62e1 --- /dev/null +++ b/vanilla.json @@ -0,0 +1 @@ +{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}},{"name":"pki_disabled","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.003432,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.085401,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable inside a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"This control is Not Applicable inside a container","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable inside a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.002864,"start_time":"2022-12-08T20:52:23-05:00","message":"expected: >= \"1\"\n got: \"0\"","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.000732,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected it to be <= 60\n got: 99999\n\n(compared using `cmp` matcher)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":3.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.003407,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.08589,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.000191,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.000363,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.040013,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.000654,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected: \"077\"\n got: \"022\"\n\n(compared using ==)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"This control is Not Applicable in a container and/or the SSHD server is not enabled","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.047026,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.053271,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.044125,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.000299,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000182,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.00018,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":7.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001862,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000137,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000134,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.00013,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000125,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000122,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000122,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.04233,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.00016,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":7.3e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.000338,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to include [\"hard\", \"maxlogins\", \"10\"], but it does not respond to `include?`","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":6.1e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002672,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":7.1e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002234,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.042577,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.047464,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000277,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000115,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.000248,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected it to be > \"0\"\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000204,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected it to be <= 35\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000149,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.044232,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.045535,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000175,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":6.0e-05,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.039688,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.040492,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000212,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: 0\n got: 9\n\n(compared using ==)\n","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.044615,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000214,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.054599,"start_time":"2022-12-08T20:52:24-05:00","message":"expected `Directory /var/log.more_permissive_than?(\"0750\")` to be falsey, got true","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.038267,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.00032,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.043326,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000152,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000104,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000108,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000111,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000105,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000103,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000101,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":9.9e-05,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.036959,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.000298,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000175,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.04034,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.040115,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000245,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000168,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000182,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000139,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.041037,"start_time":"2022-12-08T20:52:24-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.078939,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.081026,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000188,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.035605,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000259,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.000172,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.1e-05,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.039879,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.033237,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000146,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000494,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000196,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.037607,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000192,"start_time":"2022-12-08T20:52:24-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000165,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.000382,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000172,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000162,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000122,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /bin/wall is expected not to be more permissive than \"0755\"","run_time":0.043245,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"file","resource_params":"[\"/bin/wall\"]","resource_id":"/bin/wall"},{"status":"passed","code_desc":"File /bin/chage is expected not to be more permissive than \"0755\"","run_time":0.046247,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/bin/chage\"]","resource_id":"/bin/chage"},{"status":"passed","code_desc":"File /bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.040524,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/bin/expiry\"]","resource_id":"/bin/expiry"},{"status":"passed","code_desc":"File /sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.044015,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/sbin/pam_extrausers_chkpwd\"]","resource_id":"/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.046692,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/sbin/unix_chkpwd\"]","resource_id":"/sbin/unix_chkpwd"},{"status":"passed","code_desc":"File /usr/bin/wall is expected not to be more permissive than \"0755\"","run_time":0.041069,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/wall\"]","resource_id":"/usr/bin/wall"},{"status":"passed","code_desc":"File /usr/bin/chage is expected not to be more permissive than \"0755\"","run_time":0.043111,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/chage\"]","resource_id":"/usr/bin/chage"},{"status":"passed","code_desc":"File /usr/bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.04385,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/expiry\"]","resource_id":"/usr/bin/expiry"},{"status":"passed","code_desc":"File /usr/sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.042694,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/pam_extrausers_chkpwd\"]","resource_id":"/usr/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /usr/sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.0467,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/unix_chkpwd\"]","resource_id":"/usr/sbin/unix_chkpwd"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.1e-05,"start_time":"2022-12-08T20:52:25-05:00","resource":"1","skip_message":"This control is Not Applicable since a GUI not installed.","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.040228,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000249,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.102585,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout.lines is expected to be in","run_time":0.039375,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":1.976172},"version":"5.18.14"} \ No newline at end of file From 8f9d76303d3e1c0fdd8e4723f3062498d9da9c3a Mon Sep 17 00:00:00 2001 From: aaronlippold Date: Fri, 9 Dec 2022 01:54:00 +0000 Subject: [PATCH 092/100] Updating profile.json in the repository --- profile.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profile.json b/profile.json index 1d7363e..ffc38d8 100644 --- a/profile.json +++ b/profile.json @@ -852,7 +852,7 @@ "AC-2 (2)" ] }, - "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { temporary_accounts }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", + "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238196.rb", "line": 1 @@ -6869,7 +6869,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "fb3e7deae766ca26501097356f301b826f94097b8f2ab92d930f78b730eba8b1", + "sha256": "4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6", "status_message": "", "status": "loaded", "generator": { From a4db7f1be4634ad8445ccddac72d099e23fbabe0 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 9 Dec 2022 00:36:57 -0500 Subject: [PATCH 093/100] updated local and github actions to create Markdown reports Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 15 +++++++++++++++ .github/workflows/verify-ec2.yml | 26 +++++++++++++++++++------- .github/workflows/verify-vagrant.yml | 8 ++++++++ hardened.json | 1 - inspec-test-docker.sh | 12 +++++++++++- vanilla.json | 1 - 6 files changed, 53 insertions(+), 10 deletions(-) delete mode 100644 hardened.json delete mode 100644 vanilla.json diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index d29239b..51a054a 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -60,6 +60,20 @@ jobs: uses: mitre/saf_action@v1 with: command_string: "validate threshold -i hardened.json -F container.hardened.threshold.yml" + - name: Generate Vanilla Markdown Report + uses: mitre/saf_action@v1 + with: + command_string: generate:threshold -i vanilla.json -c -o vanilla-report.md + - name: Generate Hardened Markdown Report + uses: mitre/saf_action@v1 + with: + command_string: generate:threshold -i hardened.json -c -o hardened-report.md + - name: Amend Markdown Reports for readability + run: | + sed -i '' '1s/^/```yaml\'$'\n/' vanilla-report.md + echo '```' | tee -a vanilla-report.md + sed -i '' '1s/^/```yaml\'$'\n/' hardened-report.md + echo '```' | tee -a hardened-report.md - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v3 @@ -67,3 +81,4 @@ jobs: path: | vanilla.json hardened.json + *-report.md diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index b2692cc..fdf2b43 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -2,9 +2,9 @@ name: EC2 Testing Matrix on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] + branches: [main] jobs: validate: @@ -17,7 +17,7 @@ jobs: #AWS_REGION: 'us-east-1' strategy: matrix: - suite: ['hardened'] + suite: ["hardened"] fail-fast: false steps: - name: add needed packages @@ -39,7 +39,7 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@v1 with: - ruby-version: '2.7' + ruby-version: "2.7" - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - run: bundle install @@ -53,13 +53,25 @@ jobs: - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: - command_string: 'view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json' + command_string: "view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json" - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: 'validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml' + command_string: "Validate the threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" + - name: Generate ${{ matrix.suite }} Markdown Report + uses: mitre/saf_action@v1 + with: + command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + - name: Generate the ${{ matrix.suite }} Markdown Report + uses: mitre/saf_action@v1 + with: + command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + - name: Amend the ${{ matrix.suite }} Markdown Report for readability + run: | + sed -i '' '1s/^/```yaml\'$'\n/' spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + echo '```' | tee -a spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v2 with: - path: spec/results/ \ No newline at end of file + path: spec/results/ diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index 129a6d4..0582a34 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -43,6 +43,14 @@ jobs: uses: mitre/saf_action@v1 with: command_string: "validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" + - name: Generate the ${{ matrix.suite }} Markdown Report + uses: mitre/saf_action@v1 + with: + command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + - name: Amend the ${{ matrix.suite }} Markdown Report for readability + run: | + sed -i '' '1s/^/```yaml\'$'\n/' spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + echo '```' | tee -a spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v2 diff --git a/hardened.json b/hardened.json deleted file mode 100644 index 5f3a1c8..0000000 --- a/hardened.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}},{"name":"pki_disabled","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.003399,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":5.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":1.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.078421,"start_time":"2022-12-08T20:52:31-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable inside a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"This control is Not Applicable inside a container","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable inside a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.00314,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.00075,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":4.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.003305,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.084946,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.000174,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.000357,"start_time":"2022-12-08T20:52:31-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.045523,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.000687,"start_time":"2022-12-08T20:52:31-05:00","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable","run_time":2.0e-06,"start_time":"2022-12-08T20:52:31-05:00","resource":"","skip_message":"This control is Not Applicable in a container and/or the SSHD server is not enabled","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.039205,"start_time":"2022-12-08T20:52:31-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.044731,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.038751,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.000473,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000338,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.000294,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":1.2e-05,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":9.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ucredit is expected to cmp == \"-1\"","run_time":0.000281,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf lcredit is expected to cmp == \"-1\"","run_time":0.000236,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dcredit is expected to cmp == \"-1\"","run_time":8.5e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf difok is expected to cmp >= \"8\"","run_time":0.000115,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf minlen is expected to cmp >= \"15\"","run_time":0.000163,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf ocredit is expected to cmp == \"-1\"","run_time":6.3e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/security/pwquality.conf dictcheck is expected to cmp == \"1\"","run_time":5.6e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/security/pwquality.conf\"]","resource_id":"/etc/security/pwquality.conf"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.041935,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":8.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.00017,"start_time":"2022-12-08T20:52:32-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":0.000838,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.000255,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":6.3e-05,"start_time":"2022-12-08T20:52:32-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002619,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":4.0e-05,"start_time":"2022-12-08T20:52:32-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002258,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.037073,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.041351,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.1e-05,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000429,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000214,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.000294,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"passed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000202,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000126,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.044519,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.042515,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000163,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":6.2e-05,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.039518,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.040822,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000491,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.034972,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000229,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.039778,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.044266,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.00028,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.042812,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.00016,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000106,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000234,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.0001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000101,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000204,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":0.000197,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.040318,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.00026,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000184,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.037928,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.03937,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000262,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000173,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000183,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000134,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.039625,"start_time":"2022-12-08T20:52:32-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.07531,"start_time":"2022-12-08T20:52:32-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.082001,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000189,"start_time":"2022-12-08T20:52:32-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.046222,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000299,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.000272,"start_time":"2022-12-08T20:52:32-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":2.0e-06,"start_time":"2022-12-08T20:52:32-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.715866,"start_time":"2022-12-08T20:52:32-05:00","message":"\nexpected: \n got: E3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nBD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\nE3B6A2DB2ED7CE48842F7AC53241C7B71D54144BFB40C11F3F1D0B42F5EEA12D\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\nFD73DAD31C644FF1B43BEF0CCDDA96710B9CD9875ECA7E31707AF3E96D522BBD\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nA7BAA0D13C6E82C40DFC83ADE20BB6FEE275F106CBBE3868DAD81C4E6025B2AC\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\nC45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60\nBEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nF356BEA244B7A91EB35D53CA9AD7864ACE018E2D35D5F8F96DDF68A6F41AA474\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n15F0BA00A3AC7AF3AC884C072B1011A077BD77C097F40164B2F8598ABD83860C\nBEC94911C2955676DB6C0A550986D76E3BA005667C442C9762B4FBB773DE228C\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nFB8FEC759169B9106B1E511644C618C51304373F6C0643088D8BEFFD1B997599\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\n125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\n513B2CECB810D4CDE5DD85391ADFC6C2DD60D87BB736D2B521484AA47A0EBEF6\n9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384113\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nB0BFD52BB0D7D9BD92BF5D4DC13DA255C02C542F378365EA893911F55E55F23C\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n88EF81DE202EB018452E43F864725CEA5FBD1FC2D9D205730709C5D8B8690F46\nBE6C4DA2BBB9BA59B6F3939768374246C3C005993FA98F020D1DEDBED48A81D5\n657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n9B5212D92D073B1D5E8D672E94D1FB472F46D15AEA2EE4D131E5C6436B74B86E\nEEC5496B988CE98625B934092EEC2908BED0B0F316C2D4730C84EAF1F3D34881\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\nBFFF8FD04433487D6A8AA60C1A29767A9FC2BBB05E420F713A13B992891D3893\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F\n5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE\n9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\nCB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n18F1FC7F205DF8ADDDEB7FE007DD57E3AF375A9C4D8D73546BF4F1FED1E18D35\n15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177\n70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n49E7A442ACF0EA6287050054B52564B650E4F49E42E348D6AA38E039E957B1C1\n85666A562EE0BE5CE925C1D8890A6F76A87EC16D4D7D5F29EA7419CF20123B69\n2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\nBC104F15A48BE709DCA542A7E1D4B9DF6F054527E802EAA92D595444258AFE71\nEBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\nBC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\nC0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5\nBFD88FE1101C41AE3E801BF8BE56350EE9BAD1A6B9BD515EDC5C6D5B8711AC44\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nA040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36\n4200F5043AC8590EBB527D209ED1503029FBCBD41CA1B506EC27F15ADE7DAC69\nF1C1B50AE5A20DD8030EC9F6BC24823DD367B5255759B4E71B61FCE9F7375D73\n88497F01602F3154246AE28C4D5AEF10F1D87EBB76626F4AE0B7F95BA7968799\n7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF\nE793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2\nFE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD\n9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n2CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F5\nE75E72ED9F560EEC6EB4800073A43FC3AD19195A392282017895974A99026B6C\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C\n85A0DD7DD720ADB7FF05F83D542B209DC7FF4528F7D677B18389FEA5E5C49E86\n16AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB\n0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nEDF7EBBCA27A2A384D387B7D4010C666E2EDB4843E4C29B4AE1D5B9332E6B24D\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\nB676F2EDDAE8775CD36CB0F63CD1D4603961F49E6265BA013A2F0307B6D0B804\n8FE4FB0AF93A4D0D67DB0BEBB23E37C71BF325DCBCDD240EA04DAF58B47E1840\n46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716\n52F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234\nDD6936FE21F8F077C123A1A521C12224F72255B73E03A7260693E8A24B0FA389\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\nCECDDC905099D8DADFC5B1D209B737CBE2C18CFB2C10C0FF0BCF0D3286FC1AA2\n55926084EC963A64B96E2ABE01CE0BA86A64FBFEBCC7AAB5AFC155B37FD76066\nD7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\n45140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA\n88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265\nEAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB\n4FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A\n30D0895A9A448A262091635522D1F52010B5867ACAE12C78EF958FD4F4389F2F\n04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF\n2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n1793927A0614549789ADCE2F8F34F7F0B66D0F3AE3A3B84D21EC15DBBA4FADC7\nDB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88\n4D2491414CFE956746EC4CEFA6CF6F72E28A1329432F9D8A907AC4CB5DADC15A\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\nEBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA\n7E37CB8B4C47090CAB36551BA6F45DB840680FBA166A952DB100717F43053FC2\nA1339D33281A0B56E557D3D32B1CE7F9367EB094BD5FA72A7E5004C8DED7CAFE\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n59769007F7685D0FCD50872F9F95D5755A5B2B457D81F3692B610A98672F0E1B\n86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B\n1465FA205397B876FAA6F0A9958E5590E40FCC7FAA4FB7C2C8677521FB5FB658\n5C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E\n960ADF0063E96356750C2965DD0A0867DA0B9CBD6E77714AEAFB2349AB393DA3\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n4FA3126D8D3A11D1C4855A4F807CBAD6CF919D3A5A88B03BEA2C6372D93C40C9\n554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB\n62DD0BE9B9F50A163EA0F8E75C053B1ECA57EA55C8688F647C6881F2C8357B95\n02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5\n0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7\n6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98\n96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6\n44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833\n40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367\n22A2C1F7BDED704CC1E701B5F408C310880FE956B5DE2A4A44F99C873A25A7C8\n3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C\n8A866FD1B276B57E578E921C65828A2BED58E9F2F288054134B7F1F4BFC9CC74\nCA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\nCBB9C44D84B8043E1050EA31A69F514955D7BFD2E2C6B49301019AD61D9F5058\n3C5F81FEA5FAB82C64BFA2EAECAFCDE8E077FC8620A7CAE537163DF36EDBF378\n6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nD43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24\nC741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0\nF9E67D336C51002AC054C632022D66DDA2E7E3FFF10AD061ED31D8BBB410CFB2\n91E2F5788D5810EBA7BA58737DE1548A8ECACD014598BC0B143E041B17052552\n4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161\n3417BB06CC6007DA1B961C920B8AB4CE3FAD820E4AA30B9ACBC4A74EBDCEBC65\n945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4\nE23D4A036D7B70E9F595B1422079D2B91EDFBB1FB651A0633EAA8A9DC5F80703\n1BA5B2AA8C65401A82960118F80BEC4F62304D83CEC4713A19C39C011EA46DB4\n179FBC148A3DD00FD24EA13458CC43BFA7F59C8182D783A513F6EBEC100C8924\n18CE6CFE7BF14E60B2E347B8DFE868CB31D02EBB3ADA271569F50343B46DB3A4\nC3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE4\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nBF0FEEFB9E3A581AD5F9E9DB7589985743D261085C4D314F6F5D7259AA421612\nD48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168\n31AD6648F8104138C738F39EA4320133393E3A18CC02296EF97C2AC9EF6731D0\n8ECDE6884F3D87B1125BA31AC3FCB13D7016DE7F57CC904FE1CB97C6AE98196E\n9A114025197C5BB95D94E63D55CD43790847B646B23CDF11ADA4A00EFF15FB48\n73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C\n5CC3D78E4E1D5E45547A04E6873E64F90CF9536D1CCC2EF800F355C4C5FD70FD\n568D6905A2C88708A4B3025190EDCFEDB1974A606A13C6E5290FCB2AE63EDAB5\n552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988\n0C2CD63DF7806FA399EDE809116B575BF87989F06518F9808C860503178BAF66\nE35D28419ED02025CFA69038CD623962458DA5C695FBDEA3C22B0BFB25897092\n55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097\nCBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B\n7D05EBB682339F8C9451EE094EEBFEFA7953A114EDB2F44949452FAB7D2FC185\n\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":1.0e-05,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.047579,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000287,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000805,"start_time":"2022-12-08T20:52:33-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000391,"start_time":"2022-12-08T20:52:33-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.038009,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000211,"start_time":"2022-12-08T20:52:33-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000183,"start_time":"2022-12-08T20:52:33-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.000263,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000173,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000174,"start_time":"2022-12-08T20:52:33-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000129,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000106,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":4.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"1","skip_message":"This control is Not Applicable since a GUI not installed.","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.042606,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000285,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.043727,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.2e-05,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":9.0e-06,"start_time":"2022-12-08T20:52:33-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout.lines is expected to be in","run_time":0.041532,"start_time":"2022-12-08T20:52:33-05:00","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":2.124244},"version":"5.18.14"} \ No newline at end of file diff --git a/inspec-test-docker.sh b/inspec-test-docker.sh index 23d7e50..b452a2a 100755 --- a/inspec-test-docker.sh +++ b/inspec-test-docker.sh @@ -28,5 +28,15 @@ saf view summary -i hardened.json echo "VALIDATE: validating vanilla results passed thresholds. . ." saf validate:threshold -i vanilla.json -F container.vanilla.threshold.yml +echo "Generate scan report for vanilla" +saf generate:threshold -i vanilla.json -c -o vanilla-report.md +sed -i '' '1s/^/```yaml\'$'\n/' vanilla-report.md +echo '```' | tee -a vanilla-report.md + echo "VALIDATE: validating hardened results passed thresholds. . ." -saf validate:threshold -i hardened.json -F container.hardened.threshold.yml \ No newline at end of file +saf validate:threshold -i hardened.json -F container.hardened.threshold.yml + +echo "Generate scan report for hardened scan" +saf generate:threshold -i hardened.json -c -o hardened-report.md +sed -i '' '1s/^/```yaml\'$'\n/' hardened-report.md +echo '```' | tee -a hardened-report.md diff --git a/vanilla.json b/vanilla.json deleted file mode 100644 index f5c62e1..0000000 --- a/vanilla.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"ubuntu","release":"20.04","target_id":"da39a3ee-5e6b-5b0d-b255-bfef95601890"},"profiles":[{"name":"Canonical_Ubuntu_20-04_LTS_STIG","version":"0.1.0","sha256":"4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6","title":"Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide","maintainer":"Nitin Ravindran","summary":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.","license":"Apache-2.0","copyright":"Nitin Ravindran","copyright_email":"nravindran@vmware.com","supports":[{"platform-name":"ubuntu","release":"20.04"}],"attributes":[{"name":"temporary_accounts","options":{"type":"Array","value":[]}},{"name":"banner_text","options":{"type":"String","value":"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."}},{"name":"sudo_accounts","options":{"type":"Array","value":["ubuntu"]}},{"name":"tmout","options":{"type":"Numeric","value":600}},{"name":"action_mail_acct","options":{"type":"String","value":"root"}},{"name":"audit_tools","options":{"type":"Array","value":["/sbin/auditctl","/sbin/aureport","/sbin/ausearch","/sbin/autrace","/sbin/auditd","/sbin/audispd","/sbin/augenrules"]}},{"name":"standard_audit_log_size","options":{"type":"Numeric","value":8894028}},{"name":"aide_conf_path","options":{"type":"String","value":"/etc/aide/aide.conf"}},{"name":"maxlogins","options":{"type":"Numeric","value":10}},{"name":"is_kdump_required","options":{"type":"Boolean","value":false}},{"name":"is_system_networked","options":{"type":"Boolean","value":true}},{"name":"sssd_conf_path","options":{"type":"String","value":"/etc/sssd/sssd.conf"}},{"name":"allowed_ca_fingerprints_regex","options":{"type":"String","value":"(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"}},{"name":"allowed_network_interfaces","options":{"type":"Array","value":["lo","eth0"]}},{"name":"audit_sp_remote_server","options":{"type":"String","value":"192.0.0.1"}},{"name":"approved_wireless_interfaces","options":{"type":"Array","value":[]}},{"name":"fips_config_file","options":{"type":"String","value":"/proc/sys/crypto/fips_enabled"}},{"name":"chrony_config_file","options":{"type":"String","value":"/etc/chrony/chrony.conf"}},{"name":"useradd_config_file","options":{"type":"String","value":"/etc/default/useradd"}},{"name":"rsyslog_config_file","options":{"type":"String","value":"/etc/rsyslog.d/50-default.conf"}},{"name":"auditoffload_config_file","options":{"type":"String","value":"/etc/cron.weekly/audit-offload"}},{"name":"audispremote_config_file","options":{"type":"String","value":"/etc/audisp/plugins.d/au-remote.conf"}},{"name":"gdm3_config_file","options":{"type":"String","value":"/etc/gdm3/greeter.dconf-defaults"}},{"name":"disable_fips","options":{"type":"Boolean","value":false}},{"name":"pki_disabled","options":{"type":"Boolean","value":false}}],"groups":[{"id":"controls/SV-238196.rb","controls":["SV-238196"]},{"id":"controls/SV-238197.rb","controls":["SV-238197"]},{"id":"controls/SV-238198.rb","controls":["SV-238198"]},{"id":"controls/SV-238199.rb","controls":["SV-238199"]},{"id":"controls/SV-238200.rb","controls":["SV-238200"]},{"id":"controls/SV-238201.rb","controls":["SV-238201"]},{"id":"controls/SV-238202.rb","controls":["SV-238202"]},{"id":"controls/SV-238203.rb","controls":["SV-238203"]},{"id":"controls/SV-238204.rb","controls":["SV-238204"]},{"id":"controls/SV-238205.rb","controls":["SV-238205"]},{"id":"controls/SV-238206.rb","controls":["SV-238206"]},{"id":"controls/SV-238207.rb","controls":["SV-238207"]},{"id":"controls/SV-238208.rb","controls":["SV-238208"]},{"id":"controls/SV-238209.rb","controls":["SV-238209"]},{"id":"controls/SV-238210.rb","controls":["SV-238210"]},{"id":"controls/SV-238211.rb","controls":["SV-238211"]},{"id":"controls/SV-238212.rb","controls":["SV-238212"]},{"id":"controls/SV-238213.rb","controls":["SV-238213"]},{"id":"controls/SV-238214.rb","controls":["SV-238214"]},{"id":"controls/SV-238215.rb","controls":["SV-238215"]},{"id":"controls/SV-238216.rb","controls":["SV-238216"]},{"id":"controls/SV-238217.rb","controls":["SV-238217"]},{"id":"controls/SV-238218.rb","controls":["SV-238218"]},{"id":"controls/SV-238219.rb","controls":["SV-238219"]},{"id":"controls/SV-238220.rb","controls":["SV-238220"]},{"id":"controls/SV-238221.rb","controls":["SV-238221"]},{"id":"controls/SV-238222.rb","controls":["SV-238222"]},{"id":"controls/SV-238223.rb","controls":["SV-238223"]},{"id":"controls/SV-238224.rb","controls":["SV-238224"]},{"id":"controls/SV-238225.rb","controls":["SV-238225"]},{"id":"controls/SV-238226.rb","controls":["SV-238226"]},{"id":"controls/SV-238227.rb","controls":["SV-238227"]},{"id":"controls/SV-238228.rb","controls":["SV-238228"]},{"id":"controls/SV-238229.rb","controls":["SV-238229"]},{"id":"controls/SV-238230.rb","controls":["SV-238230"]},{"id":"controls/SV-238231.rb","controls":["SV-238231"]},{"id":"controls/SV-238232.rb","controls":["SV-238232"]},{"id":"controls/SV-238233.rb","controls":["SV-238233"]},{"id":"controls/SV-238234.rb","controls":["SV-238234"]},{"id":"controls/SV-238235.rb","controls":["SV-238235"]},{"id":"controls/SV-238236.rb","controls":["SV-238236"]},{"id":"controls/SV-238237.rb","controls":["SV-238237"]},{"id":"controls/SV-238238.rb","controls":["SV-238238"]},{"id":"controls/SV-238239.rb","controls":["SV-238239"]},{"id":"controls/SV-238240.rb","controls":["SV-238240"]},{"id":"controls/SV-238241.rb","controls":["SV-238241"]},{"id":"controls/SV-238242.rb","controls":["SV-238242"]},{"id":"controls/SV-238243.rb","controls":["SV-238243"]},{"id":"controls/SV-238244.rb","controls":["SV-238244"]},{"id":"controls/SV-238245.rb","controls":["SV-238245"]},{"id":"controls/SV-238246.rb","controls":["SV-238246"]},{"id":"controls/SV-238247.rb","controls":["SV-238247"]},{"id":"controls/SV-238248.rb","controls":["SV-238248"]},{"id":"controls/SV-238249.rb","controls":["SV-238249"]},{"id":"controls/SV-238250.rb","controls":["SV-238250"]},{"id":"controls/SV-238251.rb","controls":["SV-238251"]},{"id":"controls/SV-238252.rb","controls":["SV-238252"]},{"id":"controls/SV-238253.rb","controls":["SV-238253"]},{"id":"controls/SV-238254.rb","controls":["SV-238254"]},{"id":"controls/SV-238255.rb","controls":["SV-238255"]},{"id":"controls/SV-238256.rb","controls":["SV-238256"]},{"id":"controls/SV-238257.rb","controls":["SV-238257"]},{"id":"controls/SV-238258.rb","controls":["SV-238258"]},{"id":"controls/SV-238264.rb","controls":["SV-238264"]},{"id":"controls/SV-238268.rb","controls":["SV-238268"]},{"id":"controls/SV-238271.rb","controls":["SV-238271"]},{"id":"controls/SV-238277.rb","controls":["SV-238277"]},{"id":"controls/SV-238278.rb","controls":["SV-238278"]},{"id":"controls/SV-238279.rb","controls":["SV-238279"]},{"id":"controls/SV-238280.rb","controls":["SV-238280"]},{"id":"controls/SV-238281.rb","controls":["SV-238281"]},{"id":"controls/SV-238282.rb","controls":["SV-238282"]},{"id":"controls/SV-238283.rb","controls":["SV-238283"]},{"id":"controls/SV-238284.rb","controls":["SV-238284"]},{"id":"controls/SV-238285.rb","controls":["SV-238285"]},{"id":"controls/SV-238286.rb","controls":["SV-238286"]},{"id":"controls/SV-238287.rb","controls":["SV-238287"]},{"id":"controls/SV-238288.rb","controls":["SV-238288"]},{"id":"controls/SV-238289.rb","controls":["SV-238289"]},{"id":"controls/SV-238290.rb","controls":["SV-238290"]},{"id":"controls/SV-238291.rb","controls":["SV-238291"]},{"id":"controls/SV-238292.rb","controls":["SV-238292"]},{"id":"controls/SV-238293.rb","controls":["SV-238293"]},{"id":"controls/SV-238294.rb","controls":["SV-238294"]},{"id":"controls/SV-238295.rb","controls":["SV-238295"]},{"id":"controls/SV-238297.rb","controls":["SV-238297"]},{"id":"controls/SV-238298.rb","controls":["SV-238298"]},{"id":"controls/SV-238299.rb","controls":["SV-238299"]},{"id":"controls/SV-238300.rb","controls":["SV-238300"]},{"id":"controls/SV-238301.rb","controls":["SV-238301"]},{"id":"controls/SV-238302.rb","controls":["SV-238302"]},{"id":"controls/SV-238303.rb","controls":["SV-238303"]},{"id":"controls/SV-238304.rb","controls":["SV-238304"]},{"id":"controls/SV-238305.rb","controls":["SV-238305"]},{"id":"controls/SV-238306.rb","controls":["SV-238306"]},{"id":"controls/SV-238307.rb","controls":["SV-238307"]},{"id":"controls/SV-238308.rb","controls":["SV-238308"]},{"id":"controls/SV-238309.rb","controls":["SV-238309"]},{"id":"controls/SV-238310.rb","controls":["SV-238310"]},{"id":"controls/SV-238315.rb","controls":["SV-238315"]},{"id":"controls/SV-238316.rb","controls":["SV-238316"]},{"id":"controls/SV-238317.rb","controls":["SV-238317"]},{"id":"controls/SV-238318.rb","controls":["SV-238318"]},{"id":"controls/SV-238319.rb","controls":["SV-238319"]},{"id":"controls/SV-238320.rb","controls":["SV-238320"]},{"id":"controls/SV-238321.rb","controls":["SV-238321"]},{"id":"controls/SV-238323.rb","controls":["SV-238323"]},{"id":"controls/SV-238324.rb","controls":["SV-238324"]},{"id":"controls/SV-238325.rb","controls":["SV-238325"]},{"id":"controls/SV-238326.rb","controls":["SV-238326"]},{"id":"controls/SV-238327.rb","controls":["SV-238327"]},{"id":"controls/SV-238328.rb","controls":["SV-238328"]},{"id":"controls/SV-238329.rb","controls":["SV-238329"]},{"id":"controls/SV-238330.rb","controls":["SV-238330"]},{"id":"controls/SV-238331.rb","controls":["SV-238331"]},{"id":"controls/SV-238332.rb","controls":["SV-238332"]},{"id":"controls/SV-238333.rb","controls":["SV-238333"]},{"id":"controls/SV-238334.rb","controls":["SV-238334"]},{"id":"controls/SV-238335.rb","controls":["SV-238335"]},{"id":"controls/SV-238336.rb","controls":["SV-238336"]},{"id":"controls/SV-238337.rb","controls":["SV-238337"]},{"id":"controls/SV-238338.rb","controls":["SV-238338"]},{"id":"controls/SV-238339.rb","controls":["SV-238339"]},{"id":"controls/SV-238340.rb","controls":["SV-238340"]},{"id":"controls/SV-238341.rb","controls":["SV-238341"]},{"id":"controls/SV-238342.rb","controls":["SV-238342"]},{"id":"controls/SV-238343.rb","controls":["SV-238343"]},{"id":"controls/SV-238344.rb","controls":["SV-238344"]},{"id":"controls/SV-238345.rb","controls":["SV-238345"]},{"id":"controls/SV-238346.rb","controls":["SV-238346"]},{"id":"controls/SV-238347.rb","controls":["SV-238347"]},{"id":"controls/SV-238348.rb","controls":["SV-238348"]},{"id":"controls/SV-238349.rb","controls":["SV-238349"]},{"id":"controls/SV-238350.rb","controls":["SV-238350"]},{"id":"controls/SV-238351.rb","controls":["SV-238351"]},{"id":"controls/SV-238352.rb","controls":["SV-238352"]},{"id":"controls/SV-238353.rb","controls":["SV-238353"]},{"id":"controls/SV-238354.rb","controls":["SV-238354"]},{"id":"controls/SV-238355.rb","controls":["SV-238355"]},{"id":"controls/SV-238356.rb","controls":["SV-238356"]},{"id":"controls/SV-238357.rb","controls":["SV-238357"]},{"id":"controls/SV-238358.rb","controls":["SV-238358"]},{"id":"controls/SV-238359.rb","controls":["SV-238359"]},{"id":"controls/SV-238360.rb","controls":["SV-238360"]},{"id":"controls/SV-238361.rb","controls":["SV-238361"]},{"id":"controls/SV-238362.rb","controls":["SV-238362"]},{"id":"controls/SV-238363.rb","controls":["SV-238363"]},{"id":"controls/SV-238364.rb","controls":["SV-238364"]},{"id":"controls/SV-238365.rb","controls":["SV-238365"]},{"id":"controls/SV-238366.rb","controls":["SV-238366"]},{"id":"controls/SV-238367.rb","controls":["SV-238367"]},{"id":"controls/SV-238368.rb","controls":["SV-238368"]},{"id":"controls/SV-238369.rb","controls":["SV-238369"]},{"id":"controls/SV-238370.rb","controls":["SV-238370"]},{"id":"controls/SV-238371.rb","controls":["SV-238371"]},{"id":"controls/SV-238372.rb","controls":["SV-238372"]},{"id":"controls/SV-238373.rb","controls":["SV-238373"]},{"id":"controls/SV-238374.rb","controls":["SV-238374"]},{"id":"controls/SV-238376.rb","controls":["SV-238376"]},{"id":"controls/SV-238377.rb","controls":["SV-238377"]},{"id":"controls/SV-238378.rb","controls":["SV-238378"]},{"id":"controls/SV-238379.rb","controls":["SV-238379"]},{"id":"controls/SV-238380.rb","controls":["SV-238380"]},{"id":"controls/SV-251503.rb","controls":["SV-251503"]},{"id":"controls/SV-251504.rb","controls":["SV-251504"]},{"id":"controls/SV-251505.rb","controls":["SV-251505"]},{"id":"controls/SV-252704.rb","controls":["SV-252704"]}],"controls":[{"id":"SV-238196","title":"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. ","desc":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements.","descriptions":[{"label":"default","data":"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements."},{"label":"check","data":"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding."},{"label":"fix","data":"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\"system_account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\"\n+%F) system_account_name"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000002-GPOS-00002 ","gid":"V-238196 ","rid":"SV-238196r653763_rule ","stig_id":"UBTU-20-010000 ","fix_id":"F-41365r653762_fix ","cci":["CCI-000016"],"nist":["AC-2 (2)"]},"code":"control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238196.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Temporary accounts is expected to be empty","run_time":0.003432,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Temporary accounts"}]},{"id":"SV-238197","title":"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \"false\", this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nLook for the\n\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and\nuncomment it (remove the leading \"#\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238197 ","rid":"SV-238197r653766_rule ","stig_id":"UBTU-20-010002 ","fix_id":"F-41366r653765_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238197.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238198","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. ","desc":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\"You are accessing a U.S.\nGovernment \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use\nonly.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the\nfollowing conditions:\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and\ncounterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,\nauthentication and access controls\\) to protect USG interests--not for your personal\nbenefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding."},{"label":"fix","data":"Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.\n\nSet the \"banner-message-text\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000023-GPOS-00006 ","gid":"V-238198 ","rid":"SV-238198r653769_rule ","stig_id":"UBTU-20-010003 ","fix_id":"F-41367r653768_fix ","cci":["CCI-000048"],"nist":["AC-8 a"]},"code":"control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238198.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Package gdm3 not installed","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Package gdm3 not installed, this control Not Applicable","resource_class":"Object","resource_params":"[]","resource_id":"Package gdm3 not installed"}]},{"id":"SV-238199","title":"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system."},{"label":"check","data":"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \"lock-enabled\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \"lock-enabled\" is\nnot set to \"true\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \"lock-enabled\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000028-GPOS-00009 ","satisfies":["SRG-OS-000028-GPOS-00009","SRG-OS-000029-GPOS-00010"],"gid":"V-238199 ","rid":"SV-238199r653772_rule ","stig_id":"UBTU-20-010004 ","fix_id":"F-41368r653771_fix ","cci":["CCI-000056","CCI-000057"],"nist":["AC-11 b","AC-11 a"]},"code":"control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238199.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"1","skip_message":"GUI not installed.\nwhich Xorg exit_status: 1","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238200","title":"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. ","desc":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.","descriptions":[{"label":"default","data":"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity."},{"label":"check","data":"Verify the Ubuntu operating system has the \"vlock\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \"vlock\" is not installed, this is a finding."},{"label":"fix","data":"Install the \"vlock\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000030-GPOS-00011 ","satisfies":["SRG-OS-000030-GPOS-00011","SRG-OS-000031-GPOS-00012"],"gid":"V-238200 ","rid":"SV-238200r653775_rule ","stig_id":"UBTU-20-010005 ","fix_id":"F-41369r653774_fix ","cci":["CCI-000058","CCI-000060"],"nist":["AC-11 a","AC-11 (1)"]},"code":"control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238200.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package vlock is expected to be installed","run_time":0.085401,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package vlock` is installed","resource_class":"package","resource_params":"[\"vlock\"]","resource_id":"vlock"}]},{"id":"SV-238201","title":"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. ","desc":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis.","descriptions":[{"label":"default","data":"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis."},{"label":"check","data":"Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."},{"label":"fix","data":"Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000068-GPOS-00036 ","gid":"V-238201 ","rid":"SV-238201r832933_rule ","stig_id":"UBTU-20-010006 ","fix_id":"F-41370r653777_fix ","cci":["CCI-000187"],"nist":["IA-5 (2) (a) (2)"]},"code":"control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238201.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable inside a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"This control is Not Applicable inside a container","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable inside a container"}]},{"id":"SV-238202","title":"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ","desc":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.","descriptions":[{"label":"default","data":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000075-GPOS-00043 ","gid":"V-238202 ","rid":"SV-238202r653781_rule ","stig_id":"UBTU-20-010007 ","fix_id":"F-41371r653780_fix ","cci":["CCI-000198"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238202.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MIN_DAYS is expected to >= \"1\"","run_time":0.002864,"start_time":"2022-12-08T20:52:23-05:00","message":"expected: >= \"1\"\n got: \"0\"","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238203","title":"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. ","desc":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised.","descriptions":[{"label":"default","data":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than \"60\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MAX_DAYS 60"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000076-GPOS-00044 ","gid":"V-238203 ","rid":"SV-238203r653784_rule ","stig_id":"UBTU-20-010008 ","fix_id":"F-41372r653783_fix ","cci":["CCI-000199"],"nist":["IA-5 (1) (d)"]},"code":"control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238203.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs PASS_MAX_DAYS is expected to cmp <= 60","run_time":0.000732,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected it to be <= 60\n got: 99999\n\n(compared using `cmp` matcher)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238204","title":"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ","desc":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.","descriptions":[{"label":"default","data":"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system."},{"label":"check","data":"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding."},{"label":"fix","data":"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000080-GPOS-00048 ","gid":"V-238204 ","rid":"SV-238204r832936_rule ","stig_id":"UBTU-20-010009 ","fix_id":"F-41373r832935_fix ","cci":["CCI-000213"],"nist":["AC-3"]},"code":"control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238204.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Grub Config","run_time":3.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"Grub Config","skip_message":"Can't find file: /boot/grub/grub.cfg","resource_class":"grub_conf","resource_params":"[\"/boot/grub/grub.cfg\"]","resource_id":"/boot/grub/grub.cfg"}]},{"id":"SV-238205","title":"The Ubuntu operating system must uniquely identify interactive users. ","desc":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity."},{"label":"check","data":"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding."},{"label":"fix","data":"Edit the file \"/etc/passwd\" and provide each interactive user account that has a duplicate\nUID with a unique UID."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000104-GPOS-00051 ","satisfies":["SRG-OS-000104-GPOS-00051","SRG-OS-000121-GPOS-00062"],"gid":"V-238205 ","rid":"SV-238205r653790_rule ","stig_id":"UBTU-20-010010 ","fix_id":"F-41374r653789_fix ","cci":["CCI-000764","CCI-000804"],"nist":["IA-2","IA-8"]},"code":"control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238205.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Duplicate User IDs (UIDs) must not exist for interactive users is expected to be empty","run_time":0.003407,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"Object","resource_params":"[]","resource_id":"Duplicate User IDs (UIDs) must not exist for interactive users"}]},{"id":"SV-238206","title":"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. ","desc":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities."},{"label":"check","data":"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding."},{"label":"fix","data":"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000134-GPOS-00068 ","gid":"V-238206 ","rid":"SV-238206r653793_rule ","stig_id":"UBTU-20-010012 ","fix_id":"F-41375r653792_fix ","cci":["CCI-001084"],"nist":["SC-3"]},"code":"control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238206.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Group sudo members is expected to include \"ubuntu\"","run_time":0.08589,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"\" to include \"ubuntu\"","resource_class":"group","resource_params":"[\"sudo\"]","resource_id":"sudo-27"}]},{"id":"SV-238207","title":"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance."},{"label":"check","data":"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \"TMOUT\" environment variable is set in the\n\"/etc/bash.bashrc\" file or in any file inside the \"/etc/profile.d/\" directory by\nperforming the following command:\n\n$ grep -E \"\\bTMOUT=[0-9]+\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \"TMOUT\" is not set, or if the value is \"0\" or is commented\nout, this is a finding."},{"label":"fix","data":"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\"/etc/profile.d/99-terminal_tmout.sh\" file if it does not exist.\n\nModify or append the\nfollowing line in the \"/etc/profile.d/99-terminal_tmout.sh \" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000279-GPOS-00109 ","gid":"V-238207 ","rid":"SV-238207r853404_rule ","stig_id":"UBTU-20-010013 ","fix_id":"F-41376r653795_fix ","cci":["CCI-002361"],"nist":["AC-12"]},"code":"control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238207.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/profile.d/01-locale-fix.sh content is expected to match \"^TMOUT=600$\"","run_time":0.000191,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"# Make sure the locale variables are set to valid values.\\neval $(/usr/bin/locale-check C.UTF-8)\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,2 +1,3 @@\n-^TMOUT=600$\n+# Make sure the locale variables are set to valid values.\n+eval $(/usr/bin/locale-check C.UTF-8)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/profile.d/01-locale-fix.sh\"]","resource_id":"/etc/profile.d/01-locale-fix.sh"},{"status":"failed","code_desc":"File /etc/bash.bashrc content is expected to match \"^TMOUT=600$\"","run_time":0.000363,"start_time":"2022-12-08T20:52:23-05:00","message":"expected \"# System-wide .bashrc file for interactive bash(1) shells.\\n\\n# To enable the settings / commands in...\\telse\\n\\t\\t printf \\\"%s: command not found\\\\n\\\" \\\"$1\\\" >&2\\n\\t\\t return 127\\n\\t\\tfi\\n\\t}\\nfi\\n\" to match \"^TMOUT=600$\"\nDiff:\n@@ -1,71 +1,141 @@\n-^TMOUT=600$\n+# System-wide .bashrc file for interactive bash(1) shells.\n+\n+# To enable the settings / commands in this file for login shells as well,\n+# this file has to be sourced in /etc/profile.\n+\n+# If not running interactively, don't do anything\n+[ -z \"$PS1\" ] && return\n+\n+# check the window size after each command and, if necessary,\n+# update the values of LINES and COLUMNS.\n+shopt -s checkwinsize\n+\n+# set variable identifying the chroot you work in (used in the prompt below)\n+if [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n+ debian_chroot=$(cat /etc/debian_chroot)\n+fi\n+\n+# set a fancy prompt (non-color, overwrite the one in /etc/profile)\n+# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.\n+if ! [ -n \"${SUDO_USER}\" -a -n \"${SUDO_PS1}\" ]; then\n+ PS1='${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '\n+fi\n+\n+# Commented out, don't overwrite xterm -T \"title\" -n \"icontitle\" by default.\n+# If this is an xterm set the title to user@host:dir\n+#case \"$TERM\" in\n+#xterm*|rxvt*)\n+# PROMPT_COMMAND='echo -ne \"\\033]0;${USER}@${HOSTNAME}: ${PWD}\\007\"'\n+# ;;\n+#*)\n+# ;;\n+#esac\n+\n+# enable bash completion in interactive shells\n+#if ! shopt -oq posix; then\n+# if [ -f /usr/share/bash-completion/bash_completion ]; then\n+# . /usr/share/bash-completion/bash_completion\n+# elif [ -f /etc/bash_completion ]; then\n+# . /etc/bash_completion\n+# fi\n+#fi\n+\n+# sudo hint\n+if [ ! -e \"$HOME/.sudo_as_admin_successful\" ] && [ ! -e \"$HOME/.hushlogin\" ] ; then\n+ case \" $(groups) \" in *\\ admin\\ *|*\\ sudo\\ *)\n+ if [ -x /usr/bin/sudo ]; then\n+\tcat <<-EOF\n+\tTo run a command as administrator (user \"root\"), use \"sudo \".\n+\tSee \"man sudo_root\" for details.\n+\t\n+\tEOF\n+ fi\n+ esac\n+fi\n+\n+# if the command-not-found package is installed, use it\n+if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then\n+\tfunction command_not_found_handle {\n+\t # check because c-n-f could've been removed in the meantime\n+ if [ -x /usr/lib/command-not-found ]; then\n+\t\t /usr/lib/command-not-found -- \"$1\"\n+ return $?\n+ elif [ -x /usr/share/command-not-found/command-not-found ]; then\n+\t\t /usr/share/command-not-found/command-not-found -- \"$1\"\n+ return $?\n+\t\telse\n+\t\t printf \"%s: command not found\\n\" \"$1\" >&2\n+\t\t return 127\n+\t\tfi\n+\t}\n+fi\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"file","resource_params":"[\"/etc/bash.bashrc\"]","resource_id":"/etc/bash.bashrc"}]},{"id":"SV-238208","title":"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. ","desc":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.","descriptions":[{"label":"default","data":"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate."},{"label":"check","data":"Verify the \"/etc/sudoers\" file has no occurrences of \"NOPASSWD\" or \"!authenticate\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \"NOPASSWD\" or \"!authenticate\" return from the\ncommand, this is a finding."},{"label":"fix","data":"Remove any occurrence of \"NOPASSWD\" or \"!authenticate\" found in \"/etc/sudoers\" file or\nfiles in the \"/etc/sudoers.d\" directory."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000373-GPOS-00156 ","satisfies":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157"],"gid":"V-238208 ","rid":"SV-238208r853405_rule ","stig_id":"UBTU-20-010014 ","fix_id":"F-41377r653798_fix ","cci":["CCI-002038"],"nist":["IA-11"]},"code":"control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238208.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers` stdout.strip is expected to be empty","run_time":0.040013,"start_time":"2022-12-08T20:52:23-05:00","resource_class":"command","resource_params":"[\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\"]","resource_id":"Command: `egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers`"}]},{"id":"SV-238209","title":"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. ","desc":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access.","descriptions":[{"label":"default","data":"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access."},{"label":"check","data":"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \"umask\" /etc/login.defs\n\nUMASK 077\n\nIf the \"UMASK\"\nvariable is set to \"000\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\"UMASK\" is not set to \"077\", is commented out, or is missing completely, this is a finding."},{"label":"fix","data":"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \"UMASK\" parameter in the\n\"/etc/login.defs\" file to match the example below:\n\nUMASK 077"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00228 ","gid":"V-238209 ","rid":"SV-238209r653802_rule ","stig_id":"UBTU-20-010016 ","fix_id":"F-41378r653801_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238209.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"login.defs UMASK is expected to eq \"077\"","run_time":0.000654,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected: \"077\"\n got: \"022\"\n\n(compared using ==)\n","resource_class":"login_defs","resource_params":"[]","resource_id":"/etc/login.defs"}]},{"id":"SV-238210","title":"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ","desc":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.","descriptions":[{"label":"default","data":"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000105-GPOS-00052 ","satisfies":["SRG-OS-000105-GPOS-00052","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000108-GPOS-00055"],"gid":"V-238210 ","rid":"SV-238210r858517_rule ","stig_id":"UBTU-20-010033 ","fix_id":"F-41379r653804_fix ","cci":["CCI-000765","CCI-000766","CCI-000767","CCI-000768"],"nist":["IA-2 (1)","IA-2 (2)","IA-2 (3)","IA-2 (4)"]},"code":"control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238210.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238211","title":"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. ","desc":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric.","descriptions":[{"label":"default","data":"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \"UsePAM\"\nis set to \"yes\" in \"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \"UsePAM\" is not set to \"yes\", this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000125-GPOS-00065 ","gid":"V-238211 ","rid":"SV-238211r858519_rule ","stig_id":"UBTU-20-010035 ","fix_id":"F-41380r653807_fix ","cci":["CCI-000877"],"nist":["MA-4 c"]},"code":"control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238211.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238212","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. ","desc":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance.","descriptions":[{"label":"default","data":"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance."},{"label":"check","data":"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \"ClientAliveCountMax\" variable is set in the\n\"/etc/ssh/sshd_config\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\"ClientAliveCountMax\" is not set, is not set to \"1\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\"/etc/ssh/sshd_config\" file, replacing \"[Count]\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000126-GPOS-00066 ","gid":"V-238212 ","rid":"SV-238212r858521_rule ","stig_id":"UBTU-20-010036 ","fix_id":"F-41381r653810_fix ","cci":["CCI-000879"],"nist":["MA-4 e"]},"code":"control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238212.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238213","title":"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. ","desc":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session.","descriptions":[{"label":"default","data":"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session."},{"label":"check","data":"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\"ClientAliveInterval\" variable is set to a value of \"600\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \"ClientAliveInterval\" does not exist, is not set to a value of \"600\" or less in\n\"/etc/ssh/sshd_config\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \"/etc/ssh/sshd_config\" file replacing\n\"[Interval]\" with a value of \"600\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000163-GPOS-00072 ","gid":"V-238213 ","rid":"SV-238213r858523_rule ","stig_id":"UBTU-20-010037 ","fix_id":"F-41382r653813_fix ","cci":["CCI-001133"],"nist":["SC-10"]},"code":"control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238213.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238214","title":"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. ","desc":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\"","descriptions":[{"label":"default","data":"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user\nagreem't.\""},{"label":"check","data":"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding."},{"label":"fix","data":"Set the parameter Banner in \"/etc/ssh/sshd_config\" to point to the \"/etc/issue.net\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000228-GPOS-00088 ","satisfies":["SRG-OS-000228-GPOS-00088","SRG-OS-000023-GPOS-00006"],"gid":"V-238214 ","rid":"SV-238214r858525_rule ","stig_id":"UBTU-20-010038 ","fix_id":"F-41383r653816_fix ","cci":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"nist":["AC-8 a","AC-8 c 1","AC-8 c 2","AC-8 c 3"]},"code":"control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238214.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"This control is Not Applicable","run_time":1.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"This control is Not Applicable in a container and/or the SSHD server is not enabled","resource_class":"Object","resource_params":"[]","resource_id":"This control is Not Applicable"}]},{"id":"SV-238215","title":"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. ","desc":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.","descriptions":[{"label":"default","data":"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa."},{"label":"check","data":"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\"openssh\" server package is not installed, this is a finding.\n\nVerify the \"sshd.service\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \"(active|loaded)\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \"sshd.service\" is not active or loaded, this is a finding."},{"label":"fix","data":"Install the \"ssh\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \"ssh\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \"ssh\" service is running\n\n$ sudo\nsystemctl start sshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000423-GPOS-00187 ","satisfies":["SRG-OS-000423-GPOS-00187","SRG-OS-000425-GPOS-00189","SRG-OS-000426-GPOS-00190"],"gid":"V-238215 ","rid":"SV-238215r853406_rule ","stig_id":"UBTU-20-010042 ","fix_id":"F-41384r653819_fix ","cci":["CCI-002418","CCI-002420","CCI-002422"],"nist":["SC-8","SC-8 (2)"]},"code":"control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238215.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package openssh-client is expected to be installed","run_time":0.047026,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-client` is installed","resource_class":"package","resource_params":"[\"openssh-client\"]","resource_id":"openssh-client"},{"status":"failed","code_desc":"System Package openssh-server is expected to be installed","run_time":0.053271,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-server` is installed","resource_class":"package","resource_params":"[\"openssh-server\"]","resource_id":"openssh-server"},{"status":"failed","code_desc":"System Package openssh-sftp-server is expected to be installed","run_time":0.044125,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package openssh-sftp-server` is installed","resource_class":"package","resource_params":"[\"openssh-sftp-server\"]","resource_id":"openssh-sftp-server"},{"status":"failed","code_desc":"Service sshd is expected to be enabled","run_time":0.000299,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is enabled","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be installed","run_time":0.000182,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is installed","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"},{"status":"failed","code_desc":"Service sshd is expected to be running","run_time":0.00018,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `Service sshd` is running","resource_class":"service","resource_params":"[\"sshd\"]","resource_id":"sshd"}]},{"id":"SV-238216","title":"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes."},{"label":"check","data":"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \"hmac-sha2-512\" or\n\"hmac-sha2-256\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"gid":"V-238216 ","rid":"SV-238216r860820_rule ","stig_id":"UBTU-20-010043 ","fix_id":"F-41385r653822_fix ","cci":["CCI-001453","CCI-002421","CCI-002890"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238216.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":7.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238217","title":"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. ","desc":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.","descriptions":[{"label":"default","data":"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \"strongest to\nweakest\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections."},{"label":"check","data":"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \"aes256-ctr\",\n\"aes192-ctr\", or \"aes128-ctr\" are listed, the order differs from the example above, the\n\"Ciphers\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000424-GPOS-00188 ","satisfies":["SRG-OS-000424-GPOS-00188","SRG-OS-000033-GPOS-00014","SRG-OS-000394-GPOS-00174"],"gid":"V-238217 ","rid":"SV-238217r860821_rule ","stig_id":"UBTU-20-010044 ","fix_id":"F-41386r653825_fix ","cci":["CCI-000068","CCI-002421","CCI-003123"],"nist":["AC-17 (2)","SC-8 (1)","MA-4 (6)"]},"code":"control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238217.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238218","title":"The Ubuntu operating system must not allow unattended or automatic login via SSH. ","desc":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security.","descriptions":[{"label":"default","data":"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security."},{"label":"check","data":"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\"PermitEmptyPasswords\" or \"PermitUserEnvironment\" keywords are not set to \"no\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\"/etc/ssh/sshd_config\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00229 ","gid":"V-238218 ","rid":"SV-238218r858531_rule ","stig_id":"UBTU-20-010047 ","fix_id":"F-41387r653828_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238218.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":5.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238219","title":"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. ","desc":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs.","descriptions":[{"label":"default","data":"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs."},{"label":"check","data":"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \"^#\"\n\nX11Forwarding no\n\nIf the\n\"X11Forwarding\" keyword is set to \"yes\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding."},{"label":"fix","data":"Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\"\nkeyword and set its value to \"no\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238219 ","rid":"SV-238219r858533_rule ","stig_id":"UBTU-20-010048 ","fix_id":"F-41388r653831_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238219.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238220","title":"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. ","desc":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display.","descriptions":[{"label":"default","data":"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display."},{"label":"check","data":"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \"X11UseLocalhost\" keyword is set to\n\"no\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding."},{"label":"fix","data":"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11UseLocalhost\"\nkeyword and set its value to \"yes\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238220 ","rid":"SV-238220r858535_rule ","stig_id":"UBTU-20-010049 ","fix_id":"F-41389r653834_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238220.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"SSHD Configuration","run_time":4.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"SSHD Configuration","skip_message":"Can't find file: /etc/ssh/sshd_config","resource_class":"sshd_config","resource_params":"[]","resource_id":"/etc/ssh/sshd_config"}]},{"id":"SV-238221","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \"ucredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"ucredit\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \"ucredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"ucredit\" parameter:\n\n\nucredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000069-GPOS-00037 ","gid":"V-238221 ","rid":"SV-238221r653838_rule ","stig_id":"UBTU-20-010050 ","fix_id":"F-41390r653837_fix ","cci":["CCI-000192"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238221.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.001862,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238222","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \"lcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"lcredit\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \"lcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Add or update the \"/etc/security/pwquality.conf\" file to contain the \"lcredit\" parameter:\n\n\nlcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000070-GPOS-00038 ","gid":"V-238222 ","rid":"SV-238222r653841_rule ","stig_id":"UBTU-20-010051 ","fix_id":"F-41391r653840_fix ","cci":["CCI-000193"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238222.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000137,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238223","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised."},{"label":"check","data":"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \"dcredit\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"dcredit\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \"dcredit\" parameter is greater than\n\"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \"/etc/security/pwquality.conf\"\nfile to contain the \"dcredit\" parameter:\n\ndcredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000071-GPOS-00039 ","gid":"V-238223 ","rid":"SV-238223r653844_rule ","stig_id":"UBTU-20-010052 ","fix_id":"F-41392r653843_fix ","cci":["CCI-000194"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238223.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000134,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238224","title":"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. ","desc":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters.","descriptions":[{"label":"default","data":"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters."},{"label":"check","data":"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \"difok\" is set in the\n\"/etc/security/pwquality.conf\" file with the following command:\n\n$ grep -i \"difok\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \"difok\" parameter is less than \"8\" or is\ncommented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \"/etc/security/pwquality.conf\" file to include\nthe \"difok=8\" parameter:\n\ndifok=8"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000072-GPOS-00040 ","gid":"V-238224 ","rid":"SV-238224r653847_rule ","stig_id":"UBTU-20-010053 ","fix_id":"F-41393r653846_fix ","cci":["CCI-000195"],"nist":["IA-5 (1) (b)"]},"code":"control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238224.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.00013,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238225","title":"The Ubuntu operating system must enforce a minimum 15-character password length. ","desc":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password.","descriptions":[{"label":"default","data":"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password."},{"label":"check","data":"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \"minlen\" parameter value is not \"15\" or\nhigher or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \"minlen\" parameter value to the \"/etc/security/pwquality.conf\" file:\n\n\nminlen=15"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000078-GPOS-00046 ","gid":"V-238225 ","rid":"SV-238225r832942_rule ","stig_id":"UBTU-20-010054 ","fix_id":"F-41394r653849_fix ","cci":["CCI-000205"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238225.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000125,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238226","title":"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *."},{"label":"check","data":"Determine if the field \"ocredit\" is set in the \"/etc/security/pwquality.conf\" file with the\nfollowing command:\n\n$ grep -i \"ocredit\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \"ocredit\" parameter is greater than \"-1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\"/etc/security/pwquality.conf\" file to include the \"ocredit=-1\" parameter:\n\n\nocredit=-1"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000266-GPOS-00101 ","gid":"V-238226 ","rid":"SV-238226r653853_rule ","stig_id":"UBTU-20-010055 ","fix_id":"F-41395r653852_fix ","cci":["CCI-001619"],"nist":["IA-5 (1) (a)"]},"code":"control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238226.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000122,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238227","title":"The Ubuntu operating system must prevent the use of dictionary words for passwords. ","desc":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks.","descriptions":[{"label":"default","data":"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks."},{"label":"check","data":"Verify the Ubuntu operating system uses the \"cracklib\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \"dictcheck\" parameter is not set to\n\"1\" or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \"/etc/security/pwquality.conf\" file to include the\n\"dictcheck=1\" parameter:\n\ndictcheck=1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238227 ","rid":"SV-238227r653856_rule ","stig_id":"UBTU-20-010056 ","fix_id":"F-41396r653855_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238227.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/security/pwquality.conf exists is expected to equal true","run_time":0.000122,"start_time":"2022-12-08T20:52:23-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/security/pwquality.conf exists"}]},{"id":"SV-238228","title":"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. ","desc":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem.","descriptions":[{"label":"default","data":"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem."},{"label":"check","data":"Verify the Ubuntu operating system has the \"libpam-pwquality\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \"libpam-pwquality\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \"enforcing\" is not \"1\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \"pwquality\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \"retry\" is set to \"0\" or greater than \"3\",\nthis is a finding."},{"label":"fix","data":"Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\n\nInstall the \"pam_pwquality\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \"/etc/security/pwquality.conf\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\"/etc/pam.d/common-password\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \"retry\" should be between \"1\" and\n\"3\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00225 ","gid":"V-238228 ","rid":"SV-238228r653859_rule ","stig_id":"UBTU-20-010057 ","fix_id":"F-41397r653858_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238228.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238229","title":"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. ","desc":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement.","descriptions":[{"label":"default","data":"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\"\nand then ensure \"ca\" is enabled in \"cert_policy\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to \"ca\" or the line is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \"use_pkcs11_module\" in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" and ensure \"ca\" is enabled in \"cert_policy\".\n\nAdd or\nupdate the \"cert_policy\" to ensure \"ca\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \"/etc/pam_pkcs11/\" directory and an\n\"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify\naccordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000066-GPOS-00034 ","gid":"V-238229 ","rid":"SV-238229r653862_rule ","stig_id":"UBTU-20-010060 ","fix_id":"F-41398r653861_fix ","cci":["CCI-000185"],"nist":["IA-5 (2) (b) (1)"]},"code":"control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238229.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238230","title":"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. ","desc":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management).","descriptions":[{"label":"default","data":"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management)."},{"label":"check","data":"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \"libpam-pkcs11\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000375-GPOS-00160 ","gid":"V-238230 ","rid":"SV-238230r853410_rule ","stig_id":"UBTU-20-010063 ","fix_id":"F-41399r653864_fix ","cci":["CCI-001948"],"nist":["IA-2 (11)"]},"code":"control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238230.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:23-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238231","title":"The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \"opensc-pcks11\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \"opensc-pcks11\" package is not installed,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\"opensc-pkcs11\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000376-GPOS-00161 ","gid":"V-238231 ","rid":"SV-238231r853411_rule ","stig_id":"UBTU-20-010064 ","fix_id":"F-41400r653867_fix ","cci":["CCI-001953"],"nist":["IA-2 (12)"]},"code":"control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238231.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package opensc-pkcs11 is expected to be installed","run_time":0.04233,"start_time":"2022-12-08T20:52:23-05:00","message":"expected that `System Package opensc-pkcs11` is installed","resource_class":"package","resource_params":"[\"opensc-pkcs11\"]","resource_id":"opensc-pkcs11"}]},{"id":"SV-238232","title":"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ","desc":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.","descriptions":[{"label":"default","data":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems."},{"label":"check","data":"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000377-GPOS-00162 ","gid":"V-238232 ","rid":"SV-238232r853412_rule ","stig_id":"UBTU-20-010065 ","fix_id":"F-41401r653870_fix ","cci":["CCI-001954"],"nist":["IA-2 (12)"]},"code":"control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238232.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238233","title":"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ","desc":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).","descriptions":[{"label":"default","data":"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates)."},{"label":"check","data":"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000384-GPOS-00167 ","gid":"V-238233 ","rid":"SV-238233r853413_rule ","stig_id":"UBTU-20-010066 ","fix_id":"F-41402r653873_fix ","cci":["CCI-001991"],"nist":["IA-5 (2) (d)"]},"code":"control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238233.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238234","title":"The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ","desc":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.","descriptions":[{"label":"default","data":"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements."},{"label":"check","data":"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000077-GPOS-00045 ","satisfies":["SRG-OS-000077-GPOS-00045","SRG-OS-000073-GPOS-00041"],"gid":"V-238234 ","rid":"SV-238234r832945_rule ","stig_id":"UBTU-20-010070 ","fix_id":"F-41403r832944_fix ","cci":["CCI-000196","CCI-000200"],"nist":["IA-5 (1) (c)","IA-5 (1) (e)"]},"code":"control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238234.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238235","title":"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. ","desc":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.","descriptions":[{"label":"default","data":"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account."},{"label":"check","data":"Verify that the Ubuntu operating system utilizes the \"pam_faillock\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \"/etc/pam.d/common-auth\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \"silent\" keyword is missing or commented out, this is a finding.\nIf the \"audit\"\nkeyword is missing or commented out, this is a finding.\nIf the \"deny\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \"fail_interval\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\"unlock_time\" keyword is missing, commented out, or not set to 0, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to utilize the \"pam_faillock\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \"auth\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \"pam_faillock\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000329-GPOS-00128 ","satisfies":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"gid":"V-238235 ","rid":"SV-238235r853414_rule ","stig_id":"UBTU-20-010072 ","fix_id":"F-41404r802382_fix ","cci":["CCI-000044","CCI-002238"],"nist":["AC-7 a","AC-7 b"]},"code":"control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238235.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238236","title":"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality."},{"label":"check","data":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding."},{"label":"fix","data":"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \"aide-common\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000446-GPOS-00200 ","gid":"V-238236 ","rid":"SV-238236r853415_rule ","stig_id":"UBTU-20-010074 ","fix_id":"F-41405r653882_fix ","cci":["CCI-002699"],"nist":["SI-6 b"]},"code":"control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238236.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"manual test","resource_class":"Object","resource_params":"[]","resource_id":"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged."}]},{"id":"SV-238237","title":"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. ","desc":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account.","descriptions":[{"label":"default","data":"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account."},{"label":"check","data":"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \"/etc/pam.d/common-auth\" and set\nthe parameter \"pam_faildelay\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00226 ","gid":"V-238237 ","rid":"SV-238237r653886_rule ","stig_id":"UBTU-20-010075 ","fix_id":"F-41406r653885_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238237.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238238","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000463-GPOS-00207","SRG-OS-000476-GPOS-00221"],"gid":"V-238238 ","rid":"SV-238238r853416_rule ","stig_id":"UBTU-20-010100 ","fix_id":"F-41407r653888_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238238.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238239","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/group\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238239 ","rid":"SV-238239r853417_rule ","stig_id":"UBTU-20-010101 ","fix_id":"F-41408r653891_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238239.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238240","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/shadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238240 ","rid":"SV-238240r853418_rule ","stig_id":"UBTU-20-010102 ","fix_id":"F-41409r653894_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238240.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238241","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/gshadow\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238241 ","rid":"SV-238241r853419_rule ","stig_id":"UBTU-20-010103 ","fix_id":"F-41410r653897_fix ","cci":["CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AU-12 c","AC-2 (4)"]},"code":"control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238241.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238242","title":"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. ","desc":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.","descriptions":[{"label":"default","data":"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/security/opasswd\".\n\n\nAdd or update the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000004-GPOS-00004 ","satisfies":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000458-GPOS-00203","SRG-OS-000476-GPOS-00221"],"gid":"V-238242 ","rid":"SV-238242r853420_rule ","stig_id":"UBTU-20-010104 ","fix_id":"F-41411r653900_fix ","cci":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-002130"],"nist":["AC-2 (4)","AU-12 c"]},"code":"control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238242.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238243","title":"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. ","desc":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth."},{"label":"check","data":"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \"action_mail_acct\" keyword is not set to an accounts for security personnel, the\n\"action_mail_acct\" keyword is missing, or the returned line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure \"auditd\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \"administrator_account\" to an account for\nsecurity personnel.\n\nRestart the \"auditd\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000046-GPOS-00022 ","gid":"V-238243 ","rid":"SV-238243r653904_rule ","stig_id":"UBTU-20-010117 ","fix_id":"F-41412r653903_fix ","cci":["CCI-000139"],"nist":["AU-5 a"]},"code":"control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238243.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238244","title":"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). ","desc":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server.","descriptions":[{"label":"default","data":"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server."},{"label":"check","data":"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented\nout, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \"disk_full_action\" can be set to \"SYSLOG\", \"HALT\" or \"SINGLE\") in\n\"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nRestart the \"auditd\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000047-GPOS-00023 ","gid":"V-238244 ","rid":"SV-238244r653907_rule ","stig_id":"UBTU-20-010118 ","fix_id":"F-41413r653906_fix ","cci":["CCI-000140"],"nist":["AU-5 b"]},"code":"control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238244.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238245","title":"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding."},{"label":"fix","data":"Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028"],"gid":"V-238245 ","rid":"SV-238245r653910_rule ","stig_id":"UBTU-20-010122 ","fix_id":"F-41414r653909_fix ","cci":["CCI-000162","CCI-000163"],"nist":["AU-9 a"]},"code":"control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238245.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238246","title":"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the audit log files are owned by \"root\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \"root\" user by using the following\ncommand:\n\n$ sudo stat -c \"%n %U\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \"root\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238246 ","rid":"SV-238246r653913_rule ","stig_id":"UBTU-20-010123 ","fix_id":"F-41415r653912_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238246.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238247","title":"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ","desc":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.","descriptions":[{"label":"default","data":"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity."},{"label":"check","data":"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding."},{"label":"fix","data":"Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000057-GPOS-00027 ","satisfies":["SRG-OS-000057-GPOS-00027","SRG-OS-000058-GPOS-00028","SRG-OS-000059-GPOS-00029"],"gid":"V-238247 ","rid":"SV-238247r832947_rule ","stig_id":"UBTU-20-010124 ","fix_id":"F-41416r832946_fix ","cci":["CCI-000162"],"nist":["AU-9 a"]},"code":"control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238247.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238248","title":"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. ","desc":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity.","descriptions":[{"label":"default","data":"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity."},{"label":"check","data":"Verify that the audit log directory has a mode of \"0750\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \"0750\" or less by\nusing the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \"0750\", this is a finding."},{"label":"fix","data":"Configure the audit log directory to have a mode of \"0750\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\"0750\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000059-GPOS-00029 ","gid":"V-238248 ","rid":"SV-238248r653919_rule ","stig_id":"UBTU-20-010128 ","fix_id":"F-41417r653918_fix ","cci":["CCI-000164"],"nist":["AU-9 a"]},"code":"control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238248.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238249","title":"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files have a mode of \"0640\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\"/etc/audit/audit.rule\",\"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nhave a mode more permissive than \"0640\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to have a mode of \"0640\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238249 ","rid":"SV-238249r653922_rule ","stig_id":"UBTU-20-010133 ","fix_id":"F-41418r653921_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238249.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238250","title":"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a user other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\" and\n\"/etc/audit/auditd.conf\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238250 ","rid":"SV-238250r653925_rule ","stig_id":"UBTU-20-010134 ","fix_id":"F-41419r653924_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238250.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238251","title":"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. ","desc":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one."},{"label":"check","data":"Verify that \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", or \"/etc/audit/auditd.conf\" file\nis owned by a group other than \"root\", this is a finding."},{"label":"fix","data":"Configure \"/etc/audit/audit.rules\", \"/etc/audit/rules.d/*\", and\n\"/etc/audit/auditd.conf\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000063-GPOS-00032 ","gid":"V-238251 ","rid":"SV-238251r653928_rule ","stig_id":"UBTU-20-010135 ","fix_id":"F-41420r653927_fix ","cci":["CCI-000171"],"nist":["AU-12 b"]},"code":"control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238251.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238252","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"su\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \"-k\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \"su\" command occur.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238252 ","rid":"SV-238252r653931_rule ","stig_id":"UBTU-20-010136 ","fix_id":"F-41421r653930_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238252.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238253","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"chfn\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chfn\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238253 ","rid":"SV-238253r653934_rule ","stig_id":"UBTU-20-010137 ","fix_id":"F-41422r653933_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238253.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238254","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \"mount\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"mount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238254 ","rid":"SV-238254r653937_rule ","stig_id":"UBTU-20-010138 ","fix_id":"F-41423r653936_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238254.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238255","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \"umount\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"umount\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238255 ","rid":"SV-238255r653940_rule ","stig_id":"UBTU-20-010139 ","fix_id":"F-41424r653939_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238255.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":7.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238256","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-agent\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-agent\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238256 ","rid":"SV-238256r653943_rule ","stig_id":"UBTU-20-010140 ","fix_id":"F-41425r653942_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238256.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238257","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"ssh-keysign\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"ssh-keysign\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238257 ","rid":"SV-238257r653946_rule ","stig_id":"UBTU-20-010141 ","fix_id":"F-41426r653945_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238257.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238258","title":"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\",\n\"fremovexattr\", and \"lremovexattr\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \"setxattr\", \"fsetxattr\",\n\"lsetxattr\", \"removexattr\", \"fremovexattr\" and \"lremovexattr\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and\n\"lremovexattr\" system calls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238258 ","rid":"SV-238258r808474_rule ","stig_id":"UBTU-20-010142 ","fix_id":"F-41427r808473_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238258.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238264","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \"chown\",\n\"fchown\", \"fchownat\", and \"lchown\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd or update the following\nrules in the \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238264 ","rid":"SV-238264r808477_rule ","stig_id":"UBTU-20-010148 ","fix_id":"F-41433r808476_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238264.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238268","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \"chmod\", \"fchmod\" and\n\"fchmodat\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd or update the following rules in\nthe \"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000462-GPOS-00206"],"gid":"V-238268 ","rid":"SV-238268r808480_rule ","stig_id":"UBTU-20-010152 ","fix_id":"F-41437r808479_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238268.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238271","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\"creat\", \"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any unsuccessful use of the\"creat\",\n\"open\", \"openat\", \"open_by_handle_at\", \"truncate\", and \"ftruncate\" system calls.\n\nAdd\nor update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000474-GPOS-00219"],"gid":"V-238271 ","rid":"SV-238271r808483_rule ","stig_id":"UBTU-20-010155 ","fix_id":"F-41440r808482_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238271.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238277","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"sudo\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudo\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238277 ","rid":"SV-238277r654006_rule ","stig_id":"UBTU-20-010161 ","fix_id":"F-41446r654005_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238277.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238278","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"sudoedit\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"sudoedit\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238278 ","rid":"SV-238278r654009_rule ","stig_id":"UBTU-20-010162 ","fix_id":"F-41447r654008_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238278.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238279","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chsh\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chsh\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238279 ","rid":"SV-238279r654012_rule ","stig_id":"UBTU-20-010163 ","fix_id":"F-41448r654011_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238279.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238280","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"newgrp\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"newgrp\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238280 ","rid":"SV-238280r654015_rule ","stig_id":"UBTU-20-010164 ","fix_id":"F-41449r654014_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238280.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238281","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chcon\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chcon\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238281 ","rid":"SV-238281r654018_rule ","stig_id":"UBTU-20-010165 ","fix_id":"F-41450r654017_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238281.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238282","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"apparmor_parser\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"apparmor_parser\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238282 ","rid":"SV-238282r654021_rule ","stig_id":"UBTU-20-010166 ","fix_id":"F-41451r654020_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238282.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238283","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"setfacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"setfacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238283 ","rid":"SV-238283r654024_rule ","stig_id":"UBTU-20-010167 ","fix_id":"F-41452r654023_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238283.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238284","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \"chacl\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"chacl\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238284 ","rid":"SV-238284r654027_rule ","stig_id":"UBTU-20-010168 ","fix_id":"F-41453r654026_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238284.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238285","title":"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"tallylog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238285 ","rid":"SV-238285r654030_rule ","stig_id":"UBTU-20-010169 ","fix_id":"F-41454r654029_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238285.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238286","title":"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238286 ","rid":"SV-238286r654033_rule ","stig_id":"UBTU-20-010170 ","fix_id":"F-41455r654032_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238286.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238287","title":"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \"lastlog\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"lastlog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"gid":"V-238287 ","rid":"SV-238287r654036_rule ","stig_id":"UBTU-20-010171 ","fix_id":"F-41456r654035_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238287.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238288","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"passwd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \"key\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"passwd\" command.\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238288 ","rid":"SV-238288r833012_rule ","stig_id":"UBTU-20-010172 ","fix_id":"F-41457r832949_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238288.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238289","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"unix_update\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"unix_update\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238289 ","rid":"SV-238289r654042_rule ","stig_id":"UBTU-20-010173 ","fix_id":"F-41458r654041_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238289.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238290","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"gpasswd\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"gpasswd\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238290 ","rid":"SV-238290r654045_rule ","stig_id":"UBTU-20-010174 ","fix_id":"F-41459r654044_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238290.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238291","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"chage\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"chage\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238291 ","rid":"SV-238291r654048_rule ","stig_id":"UBTU-20-010175 ","fix_id":"F-41460r654047_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238291.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238292","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238292 ","rid":"SV-238292r654051_rule ","stig_id":"UBTU-20-010176 ","fix_id":"F-41461r654050_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238292.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238293","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the \"crontab\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"crontab\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238293 ","rid":"SV-238293r654054_rule ","stig_id":"UBTU-20-010177 ","fix_id":"F-41462r654053_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238293.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238294","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","gid":"V-238294 ","rid":"SV-238294r654057_rule ","stig_id":"UBTU-20-010178 ","fix_id":"F-41463r654056_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238294.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238295","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000064-GPOS-00033","SRG-OS-000471-GPOS-00216"],"gid":"V-238295 ","rid":"SV-238295r808486_rule ","stig_id":"UBTU-20-010179 ","fix_id":"F-41464r808485_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238295.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238297","title":"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"delete_module\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"delete_module\" syscall.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000064-GPOS-00033 ","satisfies":["SRG-OS-000477-GPOS-00222"],"gid":"V-238297 ","rid":"SV-238297r802387_rule ","stig_id":"UBTU-20-010181 ","fix_id":"F-41466r654065_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238297.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238298","title":"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. ","desc":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.","descriptions":[{"label":"default","data":"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system."},{"label":"check","data":"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \"auditd\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \"disabled\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \"inactive\",\nthis is a finding."},{"label":"fix","data":"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000122-GPOS-00063 ","satisfies":["SRG-OS-000122-GPOS-00063","SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000041-GPOS-00019","SRG-OS-000042-GPOS-00020","SRG-OS-000042-GPOS-00021","SRG-OS-000051-GPOS-00024","SRG-OS-000054-GPOS-00025","SRG-OS-000062-GPOS-00031","SRG-OS-000337-GPOS-00129","SRG-OS-000348-GPOS-00136","SRG-OS-000349-GPOS-00137","SRG-OS-000350-GPOS-00138","SRG-OS-000351-GPOS-00139","SRG-OS-000352-GPOS-00140","SRG-OS-000353-GPOS-00141","SRG-OS-000354-GPOS-00142","SRG-OS-000475-GPOS-00220"],"gid":"V-238298 ","rid":"SV-238298r853421_rule ","stig_id":"UBTU-20-010182 ","fix_id":"F-41467r654068_fix ","cci":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000154","CCI-000158","CCI-000169","CCI-000172","CCI-001875","CCI-001876","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001914"],"nist":["AU-3 a","AU-3 b","AU-3 c","AU-3 d","AU-3 e","AU-3 (1)","AU-6 (4)","AU-7 (1)","AU-12 a","AU-12 c","AU-7 a","AU-7 b","AU-12 (3)"]},"code":"control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238298.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238299","title":"The Ubuntu operating system must initiate session audits at system start-up. ","desc":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created.","descriptions":[{"label":"default","data":"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created."},{"label":"check","data":"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \"^\\s*linux\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \"audit=1\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\"/etc/default/grub\" file and add \"audit=1\" to the \"GRUB_CMDLINE_LINUX\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000254-GPOS-00095 ","gid":"V-238299 ","rid":"SV-238299r654072_rule ","stig_id":"UBTU-20-010198 ","fix_id":"F-41468r654071_fix ","cci":["CCI-001464"],"nist":["AU-14 (1)"]},"code":"control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238299.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238300","title":"The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \"%n\n%a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238300 ","rid":"SV-238300r654075_rule ","stig_id":"UBTU-20-010199 ","fix_id":"F-41469r654074_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238300.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238301","title":"The Ubuntu operating system must configure audit tools to be owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238301 ","rid":"SV-238301r654078_rule ","stig_id":"UBTU-20-010200 ","fix_id":"F-41470r654077_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238301.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238302","title":"The Ubuntu operating system must configure the audit tools to be group-owned by root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding."},{"label":"fix","data":"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000256-GPOS-00097 ","satisfies":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098"],"gid":"V-238302 ","rid":"SV-238302r654081_rule ","stig_id":"UBTU-20-010201 ","fix_id":"F-41471r654080_fix ","cci":["CCI-001493","CCI-001494"],"nist":["AU-9 a","AU-9"]},"code":"control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238302.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238303","title":"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. ","desc":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles.","descriptions":[{"label":"default","data":"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\/sbin\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding."},{"label":"fix","data":"Add or update the following selection lines for \"/etc/aide/aide.conf\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000278-GPOS-00108 ","gid":"V-238303 ","rid":"SV-238303r654084_rule ","stig_id":"UBTU-20-010205 ","fix_id":"F-41472r654083_fix ","cci":["CCI-001496"],"nist":["AU-9 (3)"]},"code":"control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238303.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238304","title":"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. ","desc":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.","descriptions":[{"label":"default","data":"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review."},{"label":"check","data":"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \"execve\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000326-GPOS-00126 ","satisfies":["SRG-OS-000326-GPOS-00126","SRG-OS-000327-GPOS-00127"],"gid":"V-238304 ","rid":"SV-238304r853422_rule ","stig_id":"UBTU-20-010211 ","fix_id":"F-41473r654086_fix ","cci":["CCI-002233","CCI-002234"],"nist":["AC-6 (8)","AC-6 (9)"]},"code":"control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238304.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238305","title":"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. ","desc":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system.","descriptions":[{"label":"default","data":"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system."},{"label":"check","data":"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \"/var/log/audit/\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\"/var/log/audit\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding."},{"label":"fix","data":"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \"parted\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\s*=\\s*).*@\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000341-GPOS-00132 ","gid":"V-238305 ","rid":"SV-238305r853423_rule ","stig_id":"UBTU-20-010215 ","fix_id":"F-41474r654089_fix ","cci":["CCI-001849"],"nist":["AU-4"]},"code":"control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238305.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238306","title":"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \"not installed\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\"active\" is not set to \"yes\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \"remote_server\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding."},{"label":"fix","data":"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\"/etc/audisp/plugins.d/au-remote.conf\" file:\n\n$ sudo sed -i -E\n's/active\\s*=\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \"/etc/audisp/audisp-remote.conf\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\s*=).*/\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000342-GPOS-00133 ","satisfies":["SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"gid":"V-238306 ","rid":"SV-238306r853424_rule ","stig_id":"UBTU-20-010216 ","fix_id":"F-41475r654092_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238306.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238307","title":"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. ","desc":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion.","descriptions":[{"label":"default","data":"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion."},{"label":"check","data":"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \"space_left\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \"space_left_action\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\"space_left_action\" is set to \"exec\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \"space_left_action\" is set\nto \"email\", check the value of the \"action_mail_acct\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the\n\"action_mail_acct parameter\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available."},{"label":"fix","data":"Edit \"/etc/audit/auditd.conf\" and set the \"space_left_action\" parameter to \"exec\" or\n\"email\".\n\nIf the \"space_left_action\" parameter is set to \"email\", set the\n\"action_mail_acct\" parameter to an email address for the SA and ISSO.\n\nIf the\n\"space_left_action\" parameter is set to \"exec\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \"/etc/audit/auditd.conf\" and set the \"space_left\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000343-GPOS-00134 ","gid":"V-238307 ","rid":"SV-238307r853425_rule ","stig_id":"UBTU-20-010217 ","fix_id":"F-41476r654095_fix ","cci":["CCI-001855"],"nist":["AU-5 (1)"]},"code":"control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238307.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238308","title":"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ","desc":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC."},{"label":"check","data":"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \"time zone\"\nTimezone: UTC (UTC, +0000)\n\nIf \"Timezone\" is not\nset to UTC or GMT, this is a finding."},{"label":"fix","data":"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE]"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000359-GPOS-00146 ","gid":"V-238308 ","rid":"SV-238308r853426_rule ","stig_id":"UBTU-20-010230 ","fix_id":"F-41477r654098_fix ","cci":["CCI-001890"],"nist":["AU-8 b"]},"code":"control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238308.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected to match \"UTC\"","run_time":0.00016,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match \"UTC\"","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238309","title":"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. ","desc":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.","descriptions":[{"label":"default","data":"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of\nan Ethernet switch."},{"label":"check","data":"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000392-GPOS-00172 ","satisfies":["SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"gid":"V-238309 ","rid":"SV-238309r853427_rule ","stig_id":"UBTU-20-010244 ","fix_id":"F-41478r654101_fix ","cci":["CCI-000172","CCI-002884"],"nist":["AU-12 c","MA-4 (1) (a)"]},"code":"control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238309.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238310","title":"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\|rename\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \"unlink\",\n\"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \"key\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\"unlink\", \"unlinkat\", \"rename\", \"renameat\", and \"rmdir\" system calls.\n\nAdd or update the\nfollowing rules in the \"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000468-GPOS-00212 ","gid":"V-238310 ","rid":"SV-238310r832953_rule ","stig_id":"UBTU-20-010267 ","fix_id":"F-41479r832952_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238310.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238315","title":"The Ubuntu operating system must generate audit records for the /var/log/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238315 ","rid":"SV-238315r654120_rule ","stig_id":"UBTU-20-010277 ","fix_id":"F-41484r654119_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238315.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238316","title":"The Ubuntu operating system must generate audit records for the /var/run/wtmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/run/wtmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/run/wtmp\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238316 ","rid":"SV-238316r654123_rule ","stig_id":"UBTU-20-010278 ","fix_id":"F-41485r654122_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238316.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238317","title":"The Ubuntu operating system must generate audit records for the /var/log/btmp file. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \"/var/log/btmp\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \"/var/log/btmp file\".\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000472-GPOS-00217 ","gid":"V-238317 ","rid":"SV-238317r654126_rule ","stig_id":"UBTU-20-010279 ","fix_id":"F-41486r654125_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238317.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238318","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"modprobe\" by running the following command:\n\n$ sudo auditctl -l | grep\n\"/sbin/modprobe\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"modprobe\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238318 ","rid":"SV-238318r654129_rule ","stig_id":"UBTU-20-010296 ","fix_id":"F-41487r654128_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238318.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":3.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238319","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \"kmod\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \"kmod\".\n\nAdd or update the following rule in the \"/etc/audit/rules.d/stig.rules\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238319 ","rid":"SV-238319r654132_rule ","stig_id":"UBTU-20-010297 ","fix_id":"F-41488r654131_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238319.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":1.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238320","title":"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ","desc":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).","descriptions":[{"label":"default","data":"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter)."},{"label":"check","data":"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above."},{"label":"fix","data":"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000477-GPOS-00222 ","gid":"V-238320 ","rid":"SV-238320r832956_rule ","stig_id":"UBTU-20-010298 ","fix_id":"F-41489r832955_fix ","cci":["CCI-000172"],"nist":["AU-12 c"]},"code":"control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238320.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238321","title":"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. ","desc":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity."},{"label":"check","data":"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\"/etc/cron.weekly\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding."},{"label":"fix","data":"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \"/etc/cron.weekly\" directory."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000479-GPOS-00224 ","gid":"V-238321 ","rid":"SV-238321r853428_rule ","stig_id":"UBTU-20-010300 ","fix_id":"F-41490r654137_fix ","cci":["CCI-001851"],"nist":["AU-4 (1)"]},"code":"control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238321.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/cron.weekly/audit-offload exists is expected to equal true","run_time":7.3e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/cron.weekly/audit-offload exists"}]},{"id":"SV-238323","title":"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. ","desc":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system.","descriptions":[{"label":"default","data":"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system."},{"label":"check","data":"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\"/etc/security/limits.conf\" file:\n\n* hard maxlogins 10"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000027-GPOS-00008 ","gid":"V-238323 ","rid":"SV-238323r654144_rule ","stig_id":"UBTU-20-010400 ","fix_id":"F-41492r654143_fix ","cci":["CCI-000054"],"nist":["AC-10"]},"code":"control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238323.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]","run_time":0.000338,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to include [\"hard\", \"maxlogins\", \"10\"], but it does not respond to `include?`","resource_class":"limits_conf","resource_params":"[]","resource_id":"/etc/security/limits.conf"}]},{"id":"SV-238324","title":"The Ubuntu operating system must monitor remote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \"auth.*\",\n\"authpriv.*\", or \"daemon.*\" are not configured to be logged in at least one of the config\nfiles, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\"rsyslog\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000032-GPOS-00013 ","gid":"V-238324 ","rid":"SV-238324r832959_rule ","stig_id":"UBTU-20-010403 ","fix_id":"F-41493r832958_fix ","cci":["CCI-000067"],"nist":["AC-17 (1)"]},"code":"control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238324.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"is expected not to be nil","run_time":6.1e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002672,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be nil","run_time":7.1e-05,"start_time":"2022-12-08T20:52:24-05:00","message":"expected: not nil\n got: nil","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected not to be empty","run_time":0.002234,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to respond to `empty?`","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238325","title":"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or\ngreater, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \"/etc/login.defs\" file and set \"ENCRYPT_METHOD\" to SHA512:\n\n\nENCRYPT_METHOD SHA512"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000120-GPOS-00061 ","gid":"V-238325 ","rid":"SV-238325r654150_rule ","stig_id":"UBTU-20-010404 ","fix_id":"F-41494r654149_fix ","cci":["CCI-000803"],"nist":["IA-7"]},"code":"control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238325.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238326","title":"The Ubuntu operating system must not have the telnet package installed. ","desc":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.","descriptions":[{"label":"default","data":"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised."},{"label":"check","data":"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding."},{"label":"fix","data":"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000074-GPOS-00042 ","gid":"V-238326 ","rid":"SV-238326r654153_rule ","stig_id":"UBTU-20-010405 ","fix_id":"F-41495r654152_fix ","cci":["CCI-000197"],"nist":["IA-5 (1) (c)"]},"code":"control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238326.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package telnetd is expected not to be installed","run_time":0.042577,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"package","resource_params":"[\"telnetd\"]","resource_id":"telnetd"}]},{"id":"SV-238327","title":"The Ubuntu operating system must not have the rsh-server package installed. ","desc":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled.","descriptions":[{"label":"default","data":"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled."},{"label":"check","data":"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000095-GPOS-00049 ","gid":"V-238327 ","rid":"SV-238327r654156_rule ","stig_id":"UBTU-20-010406 ","fix_id":"F-41496r654155_fix ","cci":["CCI-000381"],"nist":["CM-7 a"]},"code":"control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238327.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"System Package rsh-server is expected not to be installed","run_time":0.047464,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"package","resource_params":"[\"rsh-server\"]","resource_id":"rsh-server"}]},{"id":"SV-238328","title":"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. ","desc":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues."},{"label":"check","data":"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding."},{"label":"fix","data":"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \"in\" or \"out\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service>"}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000096-GPOS-00050 ","gid":"V-238328 ","rid":"SV-238328r654159_rule ","stig_id":"UBTU-20-010407 ","fix_id":"F-41497r654158_fix ","cci":["CCI-000382"],"nist":["CM-7 b"]},"code":"control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238328.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238329","title":"The Ubuntu operating system must prevent direct login into the root account. ","desc":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge.","descriptions":[{"label":"default","data":"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge."},{"label":"check","data":"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \"L\" in the second field to indicate the account is locked, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000109-GPOS-00056 ","gid":"V-238329 ","rid":"SV-238329r654162_rule ","stig_id":"UBTU-20-010408 ","fix_id":"F-41498r654161_fix ","cci":["CCI-000770"],"nist":["IA-2 (5)"]},"code":"control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238329.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/shadow with user == \"root\" passwords.uniq.first is expected to eq \"!*\"","run_time":0.000277,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: \"!*\"\n got: \"*\"\n\n(compared using ==)\n","exception":"RSpec::Core::MultipleExceptionError","resource_class":"FilterTable::Table","resource_params":"[]","resource_id":""},{"status":"passed","code_desc":"root L 10/18/2022 0 99999 7 -1 is expected to match /^root\\s+L\\s+.*$/","run_time":0.000115,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"root L 10/18/2022 0 99999 7 -1"}]},{"id":"SV-238330","title":"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ","desc":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.","descriptions":[{"label":"default","data":"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity."},{"label":"check","data":"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000118-GPOS-00060 ","gid":"V-238330 ","rid":"SV-238330r654165_rule ","stig_id":"UBTU-20-010409 ","fix_id":"F-41499r654164_fix ","cci":["CCI-000795"],"nist":["IA-4 e"]},"code":"control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238330.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp > \"0\"","run_time":0.000248,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected it to be > \"0\"\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"},{"status":"failed","code_desc":"Parse Config File /etc/default/useradd INACTIVE is expected to cmp <= 35","run_time":0.000204,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected it to be <= 35\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"parse_config_file","resource_params":"[\"/etc/default/useradd\"]","resource_id":"/etc/default/useradd"}]},{"id":"SV-238331","title":"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. ","desc":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts.","descriptions":[{"label":"default","data":"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts."},{"label":"check","data":"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding."},{"label":"fix","data":"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\"account_name\" with the account to be created.\n\n$ sudo chage -E $(date -d \"+3 days\" +%F)\naccount_name"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000123-GPOS-00064 ","gid":"V-238331 ","rid":"SV-238331r654168_rule ","stig_id":"UBTU-20-010410 ","fix_id":"F-41500r654167_fix ","cci":["CCI-001682"],"nist":["AC-2 (2)"]},"code":"control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238331.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238332","title":"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. ","desc":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components.","descriptions":[{"label":"default","data":"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components."},{"label":"check","data":"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding."},{"label":"fix","data":"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \"[Public Directory]\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000138-GPOS-00069 ","gid":"V-238332 ","rid":"SV-238332r654171_rule ","stig_id":"UBTU-20-010411 ","fix_id":"F-41501r654170_fix ","cci":["CCI-001090"],"nist":["SC-4"]},"code":"control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238332.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Sticky bit has been set on all world writable directories count is expected to eq 0","run_time":0.000149,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238333","title":"The Ubuntu operating system must be configured to use TCP syncookies. ","desc":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning.","descriptions":[{"label":"default","data":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning."},{"label":"check","data":"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \"1\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \"1\" is not the system's default\nvalue, add or update the following line in \"/etc/sysctl.conf\":\n\nnet.ipv4.tcp_syncookies\n= 1"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000142-GPOS-00071 ","gid":"V-238333 ","rid":"SV-238333r654174_rule ","stig_id":"UBTU-20-010412 ","fix_id":"F-41502r654173_fix ","cci":["CCI-001095"],"nist":["SC-5 (2)"]},"code":"control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238333.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value is expected to cmp == 1","run_time":0.044232,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"kernel_parameter","resource_params":"[\"net.ipv4.tcp_syncookies\"]","resource_id":"net.ipv4.tcp_syncookies"}]},{"id":"SV-238334","title":"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. ","desc":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition.","descriptions":[{"label":"default","data":"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition."},{"label":"check","data":"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \"kdump\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \"kdump\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding."},{"label":"fix","data":"If kernel core dumps are not required, disable the \"kdump\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000184-GPOS-00078 ","gid":"V-238334 ","rid":"SV-238334r654177_rule ","stig_id":"UBTU-20-010413 ","fix_id":"F-41503r654176_fix ","cci":["CCI-001190"],"nist":["SC-24"]},"code":"control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238334.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service kdump is expected not to be enabled","run_time":0.045535,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be installed","run_time":0.000175,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"},{"status":"passed","code_desc":"Service kdump is expected not to be running","run_time":6.0e-05,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"service","resource_params":"[\"kdump\"]","resource_id":"kdump"}]},{"id":"SV-238335","title":"Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ","desc":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.","descriptions":[{"label":"default","data":"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000185-GPOS-00079 ","gid":"V-238335 ","rid":"SV-238335r654180_rule ","stig_id":"UBTU-20-010414 ","fix_id":"F-41504r654179_fix ","cci":["CCI-001199"],"nist":["SC-28"]},"code":"control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238335.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238336","title":"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). ","desc":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement.","descriptions":[{"label":"default","data":"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement."},{"label":"check","data":"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \"mcafeetp\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \"mcafeetp\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II."},{"label":"fix","data":"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \"mcafeetp\" package via the ePO\nserver."}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000191-GPOS-00080 ","gid":"V-238336 ","rid":"SV-238336r858538_rule ","stig_id":"UBTU-20-010415 ","fix_id":"F-41505r858537_fix ","cci":["CCI-001233"],"nist":["SI-2 (2)"]},"code":"control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238336.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package mfetp is expected to be installed","run_time":0.039688,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package mfetp` is installed","resource_class":"package","resource_params":"[\"mfetp\"]","resource_id":"mfetp"},{"status":"failed","code_desc":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status` exit_status is expected to cmp == 0","run_time":0.040492,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: 0\n got: 127\n\n(compared using `cmp` matcher)\n","resource_class":"command","resource_params":"[\"/opt/McAfee/ens/tp/init/mfetpd-control.sh status\"]","resource_id":"Command: `/opt/McAfee/ens/tp/init/mfetpd-control.sh status`"}]},{"id":"SV-238337","title":"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. ","desc":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers.","descriptions":[{"label":"default","data":"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers."},{"label":"check","data":"Verify the Ubuntu operating system has all system log files under the \"/var/log\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;\n\nIf the command displays any output,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to set permissions of all log files under the\n\"/var/log\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000205-GPOS-00083 ","gid":"V-238337 ","rid":"SV-238337r654186_rule ","stig_id":"UBTU-20-010416 ","fix_id":"F-41506r654185_fix ","cci":["CCI-001312"],"nist":["SI-11 a"]},"code":"control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238337.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Number of log files found with a permission NOT set to 640 count is expected to eq 0","run_time":0.000212,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: 0\n got: 9\n\n(compared using ==)\n","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238338","title":"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238338 ","rid":"SV-238338r654189_rule ","stig_id":"UBTU-20-010417 ","fix_id":"F-41507r654188_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238338.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log group is expected to cmp == \"syslog\"","run_time":0.044615,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: syslog\n got: root\n\n(compared using `cmp` matcher)\n","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238339","title":"The Ubuntu operating system must configure the /var/log directory to be owned by root. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify the Ubuntu operating system configures the \"/var/log\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \"%n %U\" /var/log\n/var/log root\n\nIf the\n\"/var/log\" directory is not owned by root, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have root own the \"/var/log\" directory by running\nthe following command:\n\n$ sudo chown root /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238339 ","rid":"SV-238339r654192_rule ","stig_id":"UBTU-20-010418 ","fix_id":"F-41508r654191_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238339.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /var/log owner is expected to cmp == \"root\"","run_time":0.000214,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238340","title":"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \"%n %a\" /var/log\n\n/var/log 750\n\n\nIf a value of \"750\" or less permissive is not returned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0750 for the \"/var/log\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238340 ","rid":"SV-238340r654195_rule ","stig_id":"UBTU-20-010419 ","fix_id":"F-41509r654194_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238340.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Directory /var/log is expected not to be more permissive than \"0750\"","run_time":0.054599,"start_time":"2022-12-08T20:52:24-05:00","message":"expected `Directory /var/log.more_permissive_than?(\"0750\")` to be falsey, got true","resource_class":"directory","resource_params":"[\"/var/log\"]","resource_id":"/var/log"}]},{"id":"SV-238341","title":"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \"/var/log/syslog\" file is not group-owned by adm, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have adm group-own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238341 ","rid":"SV-238341r654198_rule ","stig_id":"UBTU-20-010420 ","fix_id":"F-41510r654197_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238341.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog group is expected to cmp == \"adm\"","run_time":0.038267,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: adm\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238342","title":"The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238342 ","rid":"SV-238342r654201_rule ","stig_id":"UBTU-20-010421 ","fix_id":"F-41511r654200_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238342.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /var/log/syslog owner is expected to cmp == \"syslog\"","run_time":0.00032,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected: syslog\n got: \n\n(compared using `cmp` matcher)\n","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238343","title":"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. ","desc":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.","descriptions":[{"label":"default","data":"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements."},{"label":"check","data":"Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \"%n %a\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \"640\" or less permissive is not\nreturned, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to have permissions of 0640 for the \"/var/log/syslog\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000206-GPOS-00084 ","gid":"V-238343 ","rid":"SV-238343r654204_rule ","stig_id":"UBTU-20-010422 ","fix_id":"F-41512r654203_fix ","cci":["CCI-001314"],"nist":["SI-11 b"]},"code":"control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238343.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /var/log/syslog is expected not to be more permissive than \"0640\"","run_time":0.043326,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"file","resource_params":"[\"/var/log/syslog\"]","resource_id":"/var/log/syslog"}]},{"id":"SV-238344","title":"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \"%n %a\"\n'{}' \\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238344 ","rid":"SV-238344r654207_rule ","stig_id":"UBTU-20-010423 ","fix_id":"F-41513r654206_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238344.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000152,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238345","title":"The Ubuntu operating system must have directories that contain system commands owned by\nroot. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system commands directories are returned, this is\na finding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238345 ","rid":"SV-238345r654210_rule ","stig_id":"UBTU-20-010424 ","fix_id":"F-41514r654209_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238345.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000104,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238346","title":"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. ","desc":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.","descriptions":[{"label":"default","data":"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators."},{"label":"check","data":"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding."},{"label":"fix","data":"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000258-GPOS-00099 ","gid":"V-238346 ","rid":"SV-238346r654213_rule ","stig_id":"UBTU-20-010425 ","fix_id":"F-41515r654212_fix ","cci":["CCI-001495"],"nist":["AU-9"]},"code":"control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238346.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root count is expected to eq 0","run_time":0.000108,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238347","title":"The Ubuntu operating system library files must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238347 ","rid":"SV-238347r654216_rule ","stig_id":"UBTU-20-010426 ","fix_id":"F-41516r654215_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238347.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are less permissive than 0755 count is expected to eq 0","run_time":0.000111,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238348","title":"The Ubuntu operating system library directories must have mode 0755 or less permissive. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \"%n %a\" '{}' \\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding."},{"label":"fix","data":"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238348 ","rid":"SV-238348r654219_rule ","stig_id":"UBTU-20-010427 ","fix_id":"F-41517r654218_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238348.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are less permissive than 0755 count is expected to eq 0","run_time":0.000105,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238349","title":"The Ubuntu operating system library files must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library files contained in the directories \"/lib\", \"/lib64\",\nand \"/usr/lib\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library file is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238349 ","rid":"SV-238349r654222_rule ","stig_id":"UBTU-20-010428 ","fix_id":"F-41518r654221_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238349.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT owned by root count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238350","title":"The Ubuntu operating system library directories must be owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding."},{"label":"fix","data":"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238350 ","rid":"SV-238350r654225_rule ","stig_id":"UBTU-20-010429 ","fix_id":"F-41519r654224_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238350.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT owned by root count is expected to eq 0","run_time":0.000103,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238351","title":"The Ubuntu operating system library files must be group-owned by root or a system account. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding."},{"label":"fix","data":"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238351 ","rid":"SV-238351r832962_rule ","stig_id":"UBTU-20-010430 ","fix_id":"F-41520r832961_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238351.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library files found that are NOT group-owned by root count is expected to eq 0","run_time":0.000101,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238352","title":"The Ubuntu operating system library directories must be group-owned by root. ","desc":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system-wide library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \"%n %G\" '{}' \\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding."},{"label":"fix","data":"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238352 ","rid":"SV-238352r654231_rule ","stig_id":"UBTU-20-010431 ","fix_id":"F-41521r654230_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238352.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system-wide shared library directories found that are NOT group-owned by root count is expected to eq 0","run_time":9.9e-05,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238353","title":"The Ubuntu operating system must be configured to preserve log records from failure events. ","desc":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes.","descriptions":[{"label":"default","data":"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes."},{"label":"check","data":"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \"rsyslog\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \"disabled\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \"inactive\", this is a finding."},{"label":"fix","data":"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000269-GPOS-00103 ","gid":"V-238353 ","rid":"SV-238353r654234_rule ","stig_id":"UBTU-20-010432 ","fix_id":"F-41522r654233_fix ","cci":["CCI-001665"],"nist":["SC-24"]},"code":"control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238353.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service rsyslog is expected to be installed","run_time":0.036959,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is installed","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be enabled","run_time":0.000298,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is enabled","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"},{"status":"failed","code_desc":"Service rsyslog is expected to be running","run_time":0.000175,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service rsyslog` is running","resource_class":"service","resource_params":"[\"rsyslog\"]","resource_id":"rsyslog"}]},{"id":"SV-238354","title":"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \"ufw\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding."},{"label":"fix","data":"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238354 ","rid":"SV-238354r853429_rule ","stig_id":"UBTU-20-010433 ","fix_id":"F-41523r654236_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238354.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package ufw is expected to be installed","run_time":0.04034,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package ufw` is installed","resource_class":"package","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238355","title":"The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). ","desc":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets).","descriptions":[{"label":"default","data":"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets)."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \"disabled\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \"inactive\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000297-GPOS-00115 ","gid":"V-238355 ","rid":"SV-238355r853430_rule ","stig_id":"UBTU-20-010434 ","fix_id":"F-41524r654239_fix ","cci":["CCI-002314"],"nist":["AC-17 (1)"]},"code":"control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238355.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.040115,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000245,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000168,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238356","title":"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints).","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints)."},{"label":"check","data":"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \"maxpoll\" in the \"/etc/chrony/chrony.conf\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \"maxpoll\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \"chrony.conf\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \"server\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding."},{"label":"fix","data":"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \"/etc/chrony/chrony.conf\" file. Add or correct the following lines, by replacing\n\"[source]\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \"chrony\" service was running and the value of \"maxpoll\" or\n\"server\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000355-GPOS-00143 ","gid":"V-238356 ","rid":"SV-238356r853431_rule ","stig_id":"UBTU-20-010435 ","fix_id":"F-41525r808491_fix ","cci":["CCI-001891"],"nist":["AU-8 (1) (a)"]},"code":"control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238356.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000182,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238357","title":"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. ","desc":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference.","descriptions":[{"label":"default","data":"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference."},{"label":"check","data":"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \"makestep\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \"1 -1\", this is a finding."},{"label":"fix","data":"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\"/etc/chrony/chrony.conf\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service"}],"impact":0.3,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000356-GPOS-00144 ","gid":"V-238357 ","rid":"SV-238357r853432_rule ","stig_id":"UBTU-20-010436 ","fix_id":"F-41526r654245_fix ","cci":["CCI-002046"],"nist":["AU-8 (1) (b)"]},"code":"control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238357.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"/etc/chrony/chrony.conf exists is expected to equal true","run_time":0.000139,"start_time":"2022-12-08T20:52:24-05:00","message":"\nexpected true\n got false\n","resource_class":"Object","resource_params":"[]","resource_id":"/etc/chrony/chrony.conf exists"}]},{"id":"SV-238358","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \"yes\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \"no\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000363-GPOS-00150 ","gid":"V-238358 ","rid":"SV-238358r853433_rule ","stig_id":"UBTU-20-010437 ","fix_id":"F-41527r654248_fix ","cci":["CCI-001744"],"nist":["CM-3 (5)"]},"code":"control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238358.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.041037,"start_time":"2022-12-08T20:52:24-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.078939,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238359","title":"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. ","desc":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA.","descriptions":[{"label":"default","data":"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA."},{"label":"check","data":"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \"AllowUnauthenticated\" variable is not set at all or is set to \"false\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \"false\";\n\n\nIf any of the files returned from the command with \"AllowUnauthenticated\" are set to \"true\",\nthis is a finding."},{"label":"fix","data":"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \"AllowUnauthenticated\" to \"false\",\nor remove \"AllowUnauthenticated\" entirely from each file. Below is an example of setting the\n\"AllowUnauthenticated\" variable to \"false\":\n\nAPT::Get::AllowUnauthenticated\n\"false\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000366-GPOS-00153 ","gid":"V-238359 ","rid":"SV-238359r853434_rule ","stig_id":"UBTU-20-010438 ","fix_id":"F-41528r654251_fix ","cci":["CCI-001749"],"nist":["CM-5 (3)"]},"code":"control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238359.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.081026,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"passed","code_desc":"apt conf files do not contain AllowUnauthenticated is expected to equal true","run_time":0.000188,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"apt conf files do not contain AllowUnauthenticated"}]},{"id":"SV-238360","title":"The Ubuntu operating system must be configured to use AppArmor. ","desc":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).","descriptions":[{"label":"default","data":"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles)."},{"label":"check","data":"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \"apparmor\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \"active\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \"enabled\" is not returned, this is a\nfinding."},{"label":"fix","data":"Install \"AppArmor\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \"apparmor\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000368-GPOS-00154 ","satisfies":["SRG-OS-000368-GPOS-00154","SRG-OS-000312-GPOS-00122","SRG-OS-000312-GPOS-00123","SRG-OS-000312-GPOS-00124","SRG-OS-000324-GPOS-00125","SRG-OS-000370-GPOS-00155"],"gid":"V-238360 ","rid":"SV-238360r853435_rule ","stig_id":"UBTU-20-010439 ","fix_id":"F-41529r654254_fix ","cci":["CCI-001764","CCI-001774","CCI-002165","CCI-002235"],"nist":["CM-7 (2)","CM-7 (5) (b)","AC-3 (4)","AC-6 (10)"]},"code":"control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238360.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service apparmor is expected to be installed","run_time":0.035605,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is installed","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be enabled","run_time":0.000259,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is enabled","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"},{"status":"failed","code_desc":"Service apparmor is expected to be running","run_time":0.000172,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service apparmor` is running","resource_class":"service","resource_params":"[\"apparmor\"]","resource_id":"apparmor"}]},{"id":"SV-238361","title":"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. ","desc":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated.","descriptions":[{"label":"default","data":"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated."},{"label":"check","data":"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding."},{"label":"fix","data":"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000380-GPOS-00165 ","gid":"V-238361 ","rid":"SV-238361r853436_rule ","stig_id":"UBTU-20-010440 ","fix_id":"F-41530r654257_fix ","cci":["CCI-002041"],"nist":["IA-5 (1) (f)"]},"code":"control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238361.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Manual verification required","run_time":1.1e-05,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login","resource_class":"Object","resource_params":"[]","resource_id":"Manual verification required"}]},{"id":"SV-238362","title":"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ","desc":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.","descriptions":[{"label":"default","data":"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable."},{"label":"check","data":"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding."},{"label":"fix","data":"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000383-GPOS-00166 ","gid":"V-238362 ","rid":"SV-238362r853437_rule ","stig_id":"UBTU-20-010441 ","fix_id":"F-41531r654260_fix ","cci":["CCI-002007"],"nist":["IA-5 (13)"]},"code":"control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238362.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238363","title":"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. ","desc":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated."},{"label":"check","data":"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \"1\" is not returned, this is a finding."},{"label":"fix","data":"Configure the system to run in FIPS mode. Add \"fips=1\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \"Ubuntu\nAdvantage\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS."}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000396-GPOS-00176 ","satisfies":["SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"gid":"V-238363 ","rid":"SV-238363r853438_rule ","stig_id":"UBTU-20-010442 ","fix_id":"F-41532r654263_fix ","cci":["CCI-002450"],"nist":["SC-13 b"]},"code":"control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238363.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"FIPS validation in a container must be reviewed manually","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"FIPS validation in a container must be reviewed manually","resource_class":"Object","resource_params":"[]","resource_id":"FIPS validation in a container must be reviewed manually"}]},{"id":"SV-238364","title":"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. ","desc":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates.","descriptions":[{"label":"default","data":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates."},{"label":"check","data":"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \"/etc/ssl/certs\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \"/etc/ca-certificates.conf\" file, adding the character \"!\" to the beginning of\nall uncommented lines that do not start with the \"!\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \"/usr/local/share/ca-certificates\" directory in the PEM\nformat.\n\nUpdate the \"/etc/ssl/certs\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000403-GPOS-00182 ","gid":"V-238364 ","rid":"SV-238364r860824_rule ","stig_id":"UBTU-20-010443 ","fix_id":"F-41533r860823_fix ","cci":["CCI-002470"],"nist":["SC-23 (5)"]},"code":"control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238364.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n ` stdout is expected to cmp == \"\"","run_time":0.039879,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"command","resource_params":"[\"\\n for f in $(find -L /etc/ssl/certs -type f); do\\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\\n done\\n \"]","resource_id":"Command: `\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'\n done\n `"}]},{"id":"SV-238365","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000404-GPOS-00183 ","gid":"V-238365 ","rid":"SV-238365r853442_rule ","stig_id":"UBTU-20-010444 ","fix_id":"F-41534r654269_fix ","cci":["CCI-002475"],"nist":["SC-28 (1)"]},"code":"control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238365.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238366","title":"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. ","desc":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields).","descriptions":[{"label":"default","data":"Operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields)."},{"label":"check","data":"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding."},{"label":"fix","data":"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000405-GPOS-00184 ","gid":"V-238366 ","rid":"SV-238366r853443_rule ","stig_id":"UBTU-20-010445 ","fix_id":"F-41535r654272_fix ","cci":["CCI-002476"],"nist":["SC-28 (1)"]},"code":"control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238366.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Not Applicable","run_time":4.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Encryption of data at rest is handled by the IaaS","resource_class":"Object","resource_params":"[]","resource_id":"Not Applicable"}]},{"id":"SV-238367","title":"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. ","desc":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks.","descriptions":[{"label":"default","data":"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks."},{"label":"check","data":"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \"LISTEN\" is not marked with the \"LIMIT\" action, this is a finding."},{"label":"fix","data":"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \"[service]\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000420-GPOS-00186 ","gid":"V-238367 ","rid":"SV-238367r853444_rule ","stig_id":"UBTU-20-010446 ","fix_id":"F-41536r654275_fix ","cci":["CCI-002385"],"nist":["SC-5 a"]},"code":"control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238367.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Status listings for any allowed services, ports, or applications must be documented with the organization","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Status listings checks must be preformed manually","resource_class":"Object","resource_params":"[]","resource_id":"Status listings for any allowed services, ports, or applications must be documented with the organization"}]},{"id":"SV-238368","title":"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \"execute disable\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\"dmesg\" does not show \"NX (Execute Disable) protection: active\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \"flags\" does not contain the \"nx\" flag, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to enable NX.\n\nIf \"nx\" is not showing up in\n\"/proc/cpuinfo\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \"enable\"."}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00192 ","gid":"V-238368 ","rid":"SV-238368r853445_rule ","stig_id":"UBTU-20-010447 ","fix_id":"F-41537r654278_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238368.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":5.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238369","title":"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. ","desc":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks.","descriptions":[{"label":"default","data":"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks."},{"label":"check","data":"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\"randomize_va_space\" is set to \"2\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \"kernel.randomize_va_space\" is not set to\n\"2\", this is a finding.\n\nVerify that a saved value of the \"kernel.randomize_va_space\"\nvariable is not defined.\n\n$ sudo egrep -R \"^kernel.randomize_va_space=[^2]\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding."},{"label":"fix","data":"Remove the \"kernel.randomize_va_space\" entry found in the \"/etc/sysctl.conf\" file or any\nfile located in the \"/etc/sysctl.d/\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000433-GPOS-00193 ","gid":"V-238369 ","rid":"SV-238369r853446_rule ","stig_id":"UBTU-20-010448 ","fix_id":"F-41538r654281_fix ","cci":["CCI-002824"],"nist":["SI-16"]},"code":"control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238369.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value is expected to cmp == 2","run_time":0.033237,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"kernel_parameter","resource_params":"[\"kernel.randomize_va_space\"]","resource_id":"kernel.randomize_va_space"}]},{"id":"SV-238370","title":"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. ","desc":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system.","descriptions":[{"label":"default","data":"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system."},{"label":"check","data":"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\n\nIf the\n\"::Remove-Unused-Dependencies\" and \"::Remove-Unused-Kernel-Packages\" parameters are\nnot set to \"true\" or are missing or commented out, this is a finding."},{"label":"fix","data":"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\"/etc/apt/apt.conf.d/50unattended-upgrades\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000437-GPOS-00194 ","gid":"V-238370 ","rid":"SV-238370r853447_rule ","stig_id":"UBTU-20-010449 ","fix_id":"F-41539r654284_fix ","cci":["CCI-002617"],"nist":["SI-2 (6)"]},"code":"control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238370.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Directory /etc/apt/apt.conf.d is expected to exist","run_time":0.000146,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"directory","resource_params":"[\"/etc/apt/apt.conf.d\"]","resource_id":"/etc/apt/apt.conf.d"},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/","run_time":0.000494,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""},{"status":"failed","code_desc":"is expected to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/","run_time":0.000196,"start_time":"2022-12-08T20:52:24-05:00","message":"expected \"\" to match /^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\nDiff:\n@@ -1 +1 @@\n-/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/\n+\"\"\n","resource_class":"Object","resource_params":"[]","resource_id":""}]},{"id":"SV-238371","title":"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. ","desc":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality.","descriptions":[{"label":"default","data":"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding."},{"label":"fix","data":"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000445-GPOS-00199 ","gid":"V-238371 ","rid":"SV-238371r853448_rule ","stig_id":"UBTU-20-010450 ","fix_id":"F-41540r654287_fix ","cci":["CCI-002696"],"nist":["SI-6 a"]},"code":"control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238371.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"System Package aide is expected to be installed","run_time":0.037607,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `System Package aide` is installed","resource_class":"package","resource_params":"[\"aide\"]","resource_id":"aide"}]},{"id":"SV-238372","title":"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. ","desc":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item.","descriptions":[{"label":"default","data":"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item."},{"label":"check","data":"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \"yes\", this is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \"SILENTREPORTS\"\nparameter in the \"/etc/default/aide\" file with a value of \"no\" if it does not already exist."}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000447-GPOS-00201 ","gid":"V-238372 ","rid":"SV-238372r853449_rule ","stig_id":"UBTU-20-010451 ","fix_id":"F-41541r654290_fix ","cci":["CCI-002702"],"nist":["SI-6 d"]},"code":"control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238372.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"File /etc/default/aide is expected to exist","run_time":0.000192,"start_time":"2022-12-08T20:52:24-05:00","message":"expected File /etc/default/aide to exist","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"},{"status":"failed","code_desc":"File /etc/default/aide content is expected to match \"^SILENTREPORTS=no$\"","run_time":0.000165,"start_time":"2022-12-08T20:52:24-05:00","message":"expected nil to match \"^SILENTREPORTS=no$\"","resource_class":"file","resource_params":"[\"/etc/default/aide\"]","resource_id":"/etc/default/aide"}]},{"id":"SV-238373","title":"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. ","desc":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections.","descriptions":[{"label":"default","data":"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections."},{"label":"check","data":"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\"pam_lastlog\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is\nmissing from \"/etc/pam.d/login\" file, is not \"required\", or the \"silent\" option is present,\nthis is a finding."},{"label":"fix","data":"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession\nrequired pam_lastlog.so showfailed"}],"impact":0.0,"refs":[],"tags":{"severity":"low ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238373 ","rid":"SV-238373r858539_rule ","stig_id":"UBTU-20-010453 ","fix_id":"F-41542r654293_fix ","cci":["CCI-000052"],"nist":["AC-9"]},"code":"control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238373.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":6.0e-06,"start_time":"2022-12-08T20:52:24-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-238374","title":"The Ubuntu operating system must have an application firewall enabled. ","desc":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network.","descriptions":[{"label":"default","data":"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network."},{"label":"check","data":"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \"active:\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \"inactive\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding."},{"label":"fix","data":"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000480-GPOS-00232 ","gid":"V-238374 ","rid":"SV-238374r654297_rule ","stig_id":"UBTU-20-010454 ","fix_id":"F-41543r654296_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238374.rb"},"waiver_data":{},"results":[{"status":"failed","code_desc":"Service ufw is expected to be installed","run_time":0.000382,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is installed","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be enabled","run_time":0.000172,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is enabled","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"},{"status":"failed","code_desc":"Service ufw is expected to be running","run_time":0.000162,"start_time":"2022-12-08T20:52:24-05:00","message":"expected that `Service ufw` is running","resource_class":"service","resource_params":"[\"ufw\"]","resource_id":"ufw"}]},{"id":"SV-238376","title":"The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \"%n %a\" '{}' \\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\;"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238376 ","rid":"SV-238376r654303_rule ","stig_id":"UBTU-20-010456 ","fix_id":"F-41545r654302_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238376.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755 count is expected to eq 0","run_time":0.000122,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238377","title":"The Ubuntu operating system must have system commands owned by root or a system account. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \"%n %U\"\n'{}' \\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding."},{"label":"fix","data":"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \"[FILE]\" with any system command\nfile not owned by \"root\" or a required system account:\n\n$ sudo chown root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238377 ","rid":"SV-238377r832968_rule ","stig_id":"UBTU-20-010457 ","fix_id":"F-41546r832967_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238377.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root count is expected to eq 0","run_time":0.000102,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"Object","resource_params":"[]","resource_id":"count"}]},{"id":"SV-238378","title":"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. ","desc":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.","descriptions":[{"label":"default","data":"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications."},{"label":"check","data":"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \"%n %G\" '{}' \\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding."},{"label":"fix","data":"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \"[FILE]\" with any system command file not group-owned by \"root\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE]"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000259-GPOS-00100 ","gid":"V-238378 ","rid":"SV-238378r832971_rule ","stig_id":"UBTU-20-010458 ","fix_id":"F-41547r832970_fix ","cci":["CCI-001499"],"nist":["CM-5 (6)"]},"code":"control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238378.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File /bin/wall is expected not to be more permissive than \"0755\"","run_time":0.043245,"start_time":"2022-12-08T20:52:24-05:00","resource_class":"file","resource_params":"[\"/bin/wall\"]","resource_id":"/bin/wall"},{"status":"passed","code_desc":"File /bin/chage is expected not to be more permissive than \"0755\"","run_time":0.046247,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/bin/chage\"]","resource_id":"/bin/chage"},{"status":"passed","code_desc":"File /bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.040524,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/bin/expiry\"]","resource_id":"/bin/expiry"},{"status":"passed","code_desc":"File /sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.044015,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/sbin/pam_extrausers_chkpwd\"]","resource_id":"/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.046692,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/sbin/unix_chkpwd\"]","resource_id":"/sbin/unix_chkpwd"},{"status":"passed","code_desc":"File /usr/bin/wall is expected not to be more permissive than \"0755\"","run_time":0.041069,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/wall\"]","resource_id":"/usr/bin/wall"},{"status":"passed","code_desc":"File /usr/bin/chage is expected not to be more permissive than \"0755\"","run_time":0.043111,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/chage\"]","resource_id":"/usr/bin/chage"},{"status":"passed","code_desc":"File /usr/bin/expiry is expected not to be more permissive than \"0755\"","run_time":0.04385,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/bin/expiry\"]","resource_id":"/usr/bin/expiry"},{"status":"passed","code_desc":"File /usr/sbin/pam_extrausers_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.042694,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/pam_extrausers_chkpwd\"]","resource_id":"/usr/sbin/pam_extrausers_chkpwd"},{"status":"passed","code_desc":"File /usr/sbin/unix_chkpwd is expected not to be more permissive than \"0755\"","run_time":0.0467,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"file","resource_params":"[\"/usr/sbin/unix_chkpwd\"]","resource_id":"/usr/sbin/unix_chkpwd"}]},{"id":"SV-238379","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \"logout\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \"logout\" key is bound to an action, is\ncommented out, or is missing, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update"}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238379 ","rid":"SV-238379r654312_rule ","stig_id":"UBTU-20-010459 ","fix_id":"F-41548r654311_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238379.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"1","run_time":1.1e-05,"start_time":"2022-12-08T20:52:25-05:00","resource":"1","skip_message":"This control is Not Applicable since a GUI not installed.","resource_class":"Numeric","resource_params":"[]","resource_id":""}]},{"id":"SV-238380","title":"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. ","desc":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot.","descriptions":[{"label":"default","data":"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot."},{"label":"check","data":"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \"ctrl-alt-del.target\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\"\nis not masked, this is a finding."},{"label":"fix","data":"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-238380 ","rid":"SV-238380r832974_rule ","stig_id":"UBTU-20-010460 ","fix_id":"F-41549r832973_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-238380.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be running","run_time":0.040228,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"},{"status":"passed","code_desc":"Service ctrl-alt-del.target is expected not to be enabled","run_time":0.000249,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"service","resource_params":"[\"ctrl-alt-del.target\"]","resource_id":"ctrl-alt-del.target"}]},{"id":"SV-251503","title":"The Ubuntu operating system must not have accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"Check the \"/etc/shadow\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding."},{"label":"fix","data":"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username]"}],"impact":0.7,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251503 ","rid":"SV-251503r808506_rule ","stig_id":"UBTU-20-010462 ","fix_id":"F-54892r808505_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251503.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow` stdout is expected to be empty","run_time":0.102585,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"command","resource_params":"[\"sudo awk -F: '!$2 {print $1}' /etc/shadow\"]","resource_id":"Command: `sudo awk -F: '!$2 {print $1}' /etc/shadow`"}]},{"id":"SV-251504","title":"The Ubuntu operating system must not allow accounts configured with blank or null passwords. ","desc":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments.","descriptions":[{"label":"default","data":"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments."},{"label":"check","data":"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding."},{"label":"fix","data":"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \"nullok\" option in \"/etc/pam.d/common-password\" to prevent logons with\nempty passwords."}],"impact":0.0,"refs":[],"tags":{"severity":"high ","gtitle":"SRG-OS-000480-GPOS-00227 ","gid":"V-251504 ","rid":"SV-251504r832977_rule ","stig_id":"UBTU-20-010463 ","fix_id":"F-54893r832976_fix ","cci":["CCI-000366"],"nist":["CM-6 b"]},"code":"control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251504.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":4.0e-06,"start_time":"2022-12-08T20:52:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-251505","title":"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. ","desc":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers.","descriptions":[{"label":"default","data":"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers."},{"label":"check","data":"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding."},{"label":"fix","data":"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \"/etc/modprobe.d\" to contain the following:\n\n# sudo su -c \"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\""}],"impact":0.0,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000378-GPOS-00163 ","gid":"V-251505 ","rid":"SV-251505r853450_rule ","stig_id":"UBTU-20-010461 ","fix_id":"F-54894r808511_fix ","cci":["CCI-001958"],"nist":["IA-3"]},"code":"control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-251505.rb"},"waiver_data":{},"results":[{"status":"skipped","code_desc":"Control not applicable to a container","run_time":2.0e-06,"start_time":"2022-12-08T20:52:25-05:00","resource":"","skip_message":"Control not applicable to a container","resource_class":"Object","resource_params":"[]","resource_id":"Control not applicable to a container"}]},{"id":"SV-252704","title":"The Ubuntu operating system must disable all wireless network adapters. ","desc":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required.","descriptions":[{"label":"default","data":"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required."},{"label":"check","data":"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding."},{"label":"fix","data":"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \"/etc/modprobe.d\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name>"}],"impact":0.5,"refs":[],"tags":{"severity":"medium ","gtitle":"SRG-OS-000481-GPOS-00481 ","gid":"V-252704 ","rid":"SV-252704r854182_rule ","stig_id":"UBTU-20-010455 ","fix_id":"F-56110r819056_fix ","cci":["CCI-002418"],"nist":["SC-8"]},"code":"control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n","source_location":{"line":1,"ref":"./controls/SV-252704.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename` stdout.lines is expected to be in","run_time":0.039375,"start_time":"2022-12-08T20:52:25-05:00","resource_class":"command","resource_params":"[\"ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename\"]","resource_id":"Command: `ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename`"}]}],"status":"loaded","status_message":""}],"statistics":{"duration":1.976172},"version":"5.18.14"} \ No newline at end of file From 1cd0822892b9e7d5d21f6d9628003a117ca04e51 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 9 Dec 2022 09:54:41 -0500 Subject: [PATCH 094/100] debugging markdown report workflows Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 2 ++ .github/workflows/verify-ec2.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 51a054a..f064502 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -70,6 +70,8 @@ jobs: command_string: generate:threshold -i hardened.json -c -o hardened-report.md - name: Amend Markdown Reports for readability run: | + pwd + ls -alh sed -i '' '1s/^/```yaml\'$'\n/' vanilla-report.md echo '```' | tee -a vanilla-report.md sed -i '' '1s/^/```yaml\'$'\n/' hardened-report.md diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index fdf2b43..b0cd7ca 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -57,7 +57,7 @@ jobs: - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: - command_string: "Validate the threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" + command_string: "validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" - name: Generate ${{ matrix.suite }} Markdown Report uses: mitre/saf_action@v1 with: From 7f763a5c47826c79abe1f73a9876c0cd3751fa66 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 9 Dec 2022 11:54:46 -0500 Subject: [PATCH 095/100] updated scripts to be less complicated Signed-off-by: Aaron Lippold --- .github/workflows/verify-container.yml | 14 ++++++-------- .github/workflows/verify-ec2.yml | 8 ++++---- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index f064502..ce52799 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -63,19 +63,17 @@ jobs: - name: Generate Vanilla Markdown Report uses: mitre/saf_action@v1 with: - command_string: generate:threshold -i vanilla.json -c -o vanilla-report.md + command_string: generate:threshold -i vanilla.json -c -o vanilla.md - name: Generate Hardened Markdown Report uses: mitre/saf_action@v1 with: - command_string: generate:threshold -i hardened.json -c -o hardened-report.md + command_string: generate:threshold -i hardened.json -c -o hardened.md - name: Amend Markdown Reports for readability run: | - pwd - ls -alh - sed -i '' '1s/^/```yaml\'$'\n/' vanilla-report.md - echo '```' | tee -a vanilla-report.md - sed -i '' '1s/^/```yaml\'$'\n/' hardened-report.md - echo '```' | tee -a hardened-report.md + (echo '```yaml' && cat vanilla.md && echo '```') > vanilla-report.md + rm vanilla.md + (echo '```yaml' && cat hardened.md && echo '```') > hardened-report.md + rm hardened.md - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v3 diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index b0cd7ca..c8f3e5f 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -65,11 +65,11 @@ jobs: - name: Generate the ${{ matrix.suite }} Markdown Report uses: mitre/saf_action@v1 with: - command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md - - name: Amend the ${{ matrix.suite }} Markdown Report for readability + command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md + - name: Amend Markdown Reports for readability run: | - sed -i '' '1s/^/```yaml\'$'\n/' spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md - echo '```' | tee -a spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + (echo '```yaml' && cat spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md && echo '```') > spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md + rm spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md - name: Save Test Result JSONs if: ${{ always() }} uses: actions/upload-artifact@v2 From 7ce7ece7821dfd1734acb7b8696ba52014e347c4 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 9 Dec 2022 12:20:27 -0500 Subject: [PATCH 096/100] started adding host,container tags Signed-off-by: Aaron Lippold --- controls/SV-238196.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb index b53f2fd..d58b107 100644 --- a/controls/SV-238196.rb +++ b/controls/SV-238196.rb @@ -50,6 +50,7 @@ tag fix_id: 'F-41365r653762_fix ' tag cci: ['CCI-000016'] tag nist: ['AC-2 (2)'] + tag 'host', 'container' if input('temporary_accounts').empty? describe 'Temporary accounts' do From f9bf8a948085d304371de59b1630ec42d0190e7a Mon Sep 17 00:00:00 2001 From: aaronlippold Date: Fri, 9 Dec 2022 17:21:23 +0000 Subject: [PATCH 097/100] Updating profile.json in the repository --- profile.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/profile.json b/profile.json index ffc38d8..2aeec68 100644 --- a/profile.json +++ b/profile.json @@ -850,9 +850,11 @@ ], "nist": [ "AC-2 (2)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", + "code": "control 'SV-238196' do\n title \"The Ubuntu operating system must provision temporary user accounts with an expiration time\nof 72 hours or less. \"\n desc \"If temporary user accounts remain active when no longer needed or for an excessive period,\nthese accounts may be used to gain unauthorized access. To mitigate this risk, automated\ntermination of all temporary accounts must be set upon account creation.\n\nTemporary\naccounts are established as part of normal account activation procedures when there is a need\nfor short-term accounts without the demand for immediacy in account activation.\n\nIf\ntemporary accounts are used, the operating system must be configured to automatically\nterminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address\naccess requirements, many operating systems may be integrated with enterprise-level\nauthentication/access mechanisms that meet or exceed access control policy requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or\nless.\n\nFor every existing temporary account, run the following command to obtain its\naccount expiration information:\n\n$ sudo chage -l system_account_name | grep expires\n\n\nPassword expires : Aug 07, 2019\nAccount expires : Aug 07, 2019\n\nVerify that each of these\naccounts has an expiration date set within 72 hours of account creation.\n\nIf any temporary\naccount does not expire within 72 hours of that account's creation, this is a finding. \"\n desc 'fix', \"If a temporary account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it.\n\nSubstitute\n\\\"system_account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\"\n+%F) system_account_name \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000002-GPOS-00002 '\n tag gid: 'V-238196 '\n tag rid: 'SV-238196r653763_rule '\n tag stig_id: 'UBTU-20-010000 '\n tag fix_id: 'F-41365r653762_fix '\n tag cci: ['CCI-000016']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n if input('temporary_accounts').empty?\n describe 'Temporary accounts' do\n subject { input('temporary_accounts') }\n it { should be_empty }\n end\n else\n temporary_accounts.each do |acct|\n describe command(\"chage -l #{acct} | grep 'Account expires'\") do\n its('stdout.strip') { should_not match(/:\\s*never/) }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238196.rb", "line": 1 @@ -6869,7 +6871,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "4c6fcd4075dfd8c5d6674624d6b3b02e38d310555aa685100b5e6d116318f4b6", + "sha256": "acac3e16219107e8b967ca6bff5c8058fea9f946555f96c508e75ae17ea020db", "status_message": "", "status": "loaded", "generator": { From 2ffc7f8b84a1dcdb582b9a0c033f2896e8650ddd Mon Sep 17 00:00:00 2001 From: HackerShark Date: Fri, 9 Dec 2022 12:35:31 -0500 Subject: [PATCH 098/100] adding file that lists which controls are applicable and not applicable for containers Signed-off-by: HackerShark --- Ubuntu 20-04 STIG Applicability Review.xlsx | Bin 0 -> 49354 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Ubuntu 20-04 STIG Applicability Review.xlsx diff --git a/Ubuntu 20-04 STIG Applicability Review.xlsx b/Ubuntu 20-04 STIG Applicability Review.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..028b5d97c4d8b73a0229cd6b0c4ed2550b857f2b GIT binary patch literal 49354 zcmeFXWm_FV*Cl*#3+`}mcMTqby9akWxVyW%OOW911ef3tT!Op1yT2s&Gjl!j&isR! z{?O+-y?0mlT6?Xk>h4mIhJeHXKm%X_000S~hT|#44-5dHh5-Q30kGg&!nQU}AR8w= zWp_J}qYk5+wH0w5Bsg^r0Q@8W|84&lGccO0W7)%u5poXmj7-s#AKl6_P~%Y>J0hF* z3|7nC(9HqIJ$3kN-TXyAYMc~nPgXc1^WGb8e9*4FYS;`4DS3+KnCc6b|9F(LM|R!B zq2)^#>5Y)IA|4{mGNA7A;K_n(RlO@L?{iVb#Tvguj0RY8SD*Ui&qRDRIQeRu@ya1A zLnN=sU?2jgLBq`&mnLGW{WL5*~Qr6Azr0Sn9yJ+V? zw1`ipH40d^uz{Cip&t9TfjTR^I?>oJEaF$ANh4(AsFTDmk28XVnl-~7F_~VW2NPtb)J@)tV!0aOwH@EB` zc!EU~sFSu*T~#9_VU66_J^n8jF+8gKfUgZ&T4*=e1a-MXh3>8XfkcjB#~hdAE!mHOT-+Gz&BXVH007?KApi>hi*eWE za-iQn)X4VXON0;O>N$X{9GMvZ?*E@*|1Wmwe}i5SKOxu4{3-NYqFs3B`N&2BHn*^i zxL_597Fi$dK6Yt9F+uSD&KMR_)C`7eK#t${4b+xVtk_`}*1?5%oCn!I9(JlzzFFF- zx9S%Wo>`~}wB&LK(s6dL_1=kB^1*0Z6HlgLv^Y?@Y6_cj;!~vWs~^b{>k*+L5{}Fs z6=2vdqOWH0G8JghFYA~^xx0f`_P%kyf>|c&Q4hl%KQl>>x{;`% zJ3DW*Edhn4mY5UNO0baUz;$=n$(41>DH#%cS1+wNHxA3KZb>{Mx7>06Zqxie;%C@r z9IE8^HHl7ta7}cVsFBw*OTBQ`ub$(orLs(QbFIuVlrpOJW#$R}a~MfLK{X3(b5R&_ zvI-ha*E{D0`#j+Dw9zA>S0>G>Ow{x@=qo77IC&JQ{K@1oik1v$`u2v45>${WE91J625pdLnsiFJ*Q8<*Eh|jh$Es{6M!Clpzqfz* z!&m#P#cjpz&CCyslFFn?8FSf1CDO3V-XBK$#A@7NE+v_mI+2?M-h(1<)XKGgEA{!o zMVdvDt4g{ji9y02qbrHK(%3Y&j|v@azd*#Hi>_y5fdQLBX%Y%ZffnlwGSF4kHxx!F z%eJ1d7n-5A_i8ZG&XEPXL9)>YLcRoFobyb&tx7WA?v*4Mc2lgEfu%KSwO1c_#2hbF zd5S$>^t3^|@=Nn`ZH6DIXDNhV1eWw9GF%9u_o;t-v$kZEC}G?8p47DKfj%3|{9J2{ z15Tctqn}LLkyEisK5abj8mrGwqHOuBuL2X$YtUc3Qex znEaC_5wqK+qcpwDIts@WBfrN2hJFHXMR;VUbI!6_Yn z<}8}UFFjr)xA5j~@0DoKUV0SsC?~u(kh!7Mpg}47LL**nHu^2IS8oiiH&z0QIoLH- zoCgF;4i_QI_M4fyfY3%nI88>r=&d7Q<@=8@ za{Qa-GU(Tzq^AufH*1|7L;BDB&5zjqEY_ecua2r1bA$MMRdOPm@2YL_NasSs%139N zo<^`UX}S@Nx&@UK%H-RKGvwRa=i91&$JA6bc`RtH?i@~xs~`5PE<^U8I0dc4mXksL zhHo8nB82GBJ(qCsrdH=xFIFzL3c#3Fnumf+*sR({Omp}S646W9yZJWwQ}FVzI&v`> zU#|e$hO6_ZCzW5pggi_lPFb|iXNzdV}zv!o1RF zTL~L@142>r4e|U*heQqi$6VgVy{fNuFQRof`-;q&h=ZD&PkAxORqwTVCn7F?)(l(w z9_;TSHdGHzpp?BOuJ!p`L*h*zOEWY(@ww-`2%l8r3VQW-C?i2}odVN8n~2(J2NY`c zIR(o?@JdGXW@4Q)2*u?C2SI~=KW0lFEb}@%S6<75T`!hl$?rS+4_|q)89P@hY}Q)t zJX$or7DPAu4mU=J*x(l~=#&(_{~x=RwBMQ*l{f$ZSPKB~@$)~r6-P4=$jOoE-w*rW z;VLsxBQ}E>BY2(e_N%&&sh*U=5Ordh%UW64NWGCvjiHf627TGnx+jT$l%}(0G=?Dr z|2lW4HWSgfQV!WnNO@zI|FKb@W*P0;8N$o1}(ylURpPDd6R7lRUvYb z!6+&5&!VpA2Awl^o$BE7lANk(Pk9=*<8(PTrRefaIkdH{a@u*OBV`@O;l_x&goe2p z859I=*Gq zcH;jeP(N+nxZ4Wu{9#CL{`S*0nUWXGnG1#`_n=}Ey9ZO2WBdAR=AJTRT*q;vPdR)V zeS5I@flTYX3H*y*8gYma!Q+MCdC7%ye1Ne@u&erwlsZpuh{Iv~zKXxE@v-$)+CX7q zpZT5@mi-?6G?$amS1&cO*vnS>z#nc66jCUe@sw$aNmuHN4xaZM5C>{ zf$+I_?VM;;6LlBlk8b=gy^S_$oW>W>-JKU%g>z#`BJhzol;QMyz9s;Xh?Lb6uDP+K;! z`|Hi?y59Q>|Lbw;%(A@i%fpRJ>&LUVmPpCQ*RkJyAku#`v$B#N$@xqWjh@`+P%7K zBFU$Ad#m$48qb3XoCqm|Wwn!@>=1=HU)imG+xqoncj^Cjb%h}gvN7j2)M4ywx$avzU#^O^ax z_1G(arOmS|@_w)W(Y>I_(H^HaSlCph9;RV&6)f*9jA0hf>rVzNw%bGGm%6?6L79m# zNjbGCdDSCWqXr~q6N_`BAw=RwW1n%`8%Me2emtq7(DaIsUh-Uds0;oQ9mGX=Vu1<( zZC@3%=)&xUKt;J=Xu(Y5r;Jj0c_!Z55htQAS&!aP=`AW>{nT&2g=Mvno{WCr+~Xlv zq03KqPqT65y>%meogJZOb1(M|ss)F|;q~@gc&v^~2H+&gEn6?J0`8ay#eHAf;1|CB zN*3%rX6EoCe)O8iM`KL-DkKFo~44YaZt zu9_1DMP`Ca&oDdDV@Ve1$xg9l4LLQuCZ4ei!!UJufj7p!}6Ed~#FdxQvgy`_2g@qvr z4%X=DFi?^~R|J(og$uYC4$kt>=ivds!qA9Ieq*_QYIIb+Y#Z<0ZRJwufRA8Y0SZlm zEGhT^igSMC?$K#(L8T9wa;wt|2+}t_CSTkV_cM)$Y_#mzM{2Sp_@X$SLD2U_MUG#v zC1A>}HxA?ae6cfSo=<0}v-2tgE^=Sc1|q2RcN%e@$3G9dEc>0eJ9(Kxt{)DymK#)f zt@Z%^!XBu9>Dou0#H?chm=8%0x`{Do_adgTmb|JYi)z452I=3T{Fs?Q5l`vj!fX*+ zg!MDtDKui*X7tn$!-Y292XT1ap2^$-v~UzY1cGv$JEvFAk`p*xxJ^n%K@?j31Ef46 zaBHVI=f~40Rfr8ez=+03@hL1aNYER4NHhjl;a&~y^zWU(4l=UFpvTi0YeB?CoK*Tl zGCH&qD2kuLLF?&D-8rqO12xde0Z1=k^>H!Fgjx0dqW1v8jDPJ-Mo=sU}v*hfYDB}$(%8vpnONA)s9L8kYVOHlcX z@Dj90w|?jQs@)vfKc+ z<{;B$wfDV^5-9Qwm7)xuy2W-NZTU-vF*0$NH$=&wU1;t7w2Z|+xHclzs1yze)SD(z zEfie8GbhO-F$0U$4UCXBaXKX=LCop4cdV!#{P;(to zZ0JJE!6DO{T48K8=*3&qiUZc+2*zAvZ~E}zCy~@i0FFA5pVaJ3O^2&lwYS?D;{$Mr~p`1<2g8O)mglj}uVBm?z>)z>!)-MF+D5;11$( zxODx&<6a1-{1hkb(kzVxQXFi;vCu(W%rnz zzdQ^Iq*3B`S|f^e5^_p&rp`af=Nra-bPw$CE)u01!WiMN{L7!yE^!&_#n{YIc6wqx zQE!DeF2#58VU_jqx$JESRmi{?fSP(4k(m@oiN3JDO^C-{*N0Kcl}Kg%C`c|m2fYs8ixyl zN>>ny=_UCFB!(ey*uTB1>Zr!HNK(8Dkt7}3iA#j7>m`}F-Dz~-HjYRt=iI()Bn{=0 zSz3wRI2LeD)hgC;LajRf1CbBPBNHGRV2|O)%ddslY57Sd&j#TmNic#jsWTLKmr3D8ZzC> zDK>MaO2i%)WSeFMmHrnE=!YuOXf(4FQeNv$oG@WkCi=r@TqQA^l$7k?*?ku2;&KGD z0222OBlk|+N411gmderdDu~ggRR04t6zGr&bQt<5773B{@Kz8t-B1vk0}v_wgTkG- zwjDp=nEUHxdF0{DkA#nQhv8XsgMc4Mx&F2~DVdmkkkj`UrTBkJ4Rm-+4)j7Y@B>~= z={Ove{EI2=I}806NL1rg;SZ3~NLkGP)$@;{nR9g&=`)^sw&(lYX(`ZuuQ3#yOR0CdpNqu`7 zrpXTi(hWt`1;|iK$3QreMI{85tmVJ7kC3D)3dK18Cqgn9{};$O9n#|)O#}g5XnVDC za`J*uu2&`K#Alr*VHVf};I8J{x&C{>MRRE#-2DH>-9BchR}t{);x;!5&7tCh8=ij> z4gD)or=cv(vFj?J!-smqh!cgYXpi@cG5gUR1{j~j{>8sIP=|Vbb$q^AJ(5{dlbXh% z2sp7D!jNPi+>N7ALdrVbVB7s$vir*6-}_R9Xj*fr|3fE#6Mp=sYR^(6%eac9Lr9@A z@j<}9+
aPP3W>y_FYeQ-|p@Ay0oLc||$@8%PSAy86>K^g1vW20e`^H5M-z)9B% zY<@sgNw#q3zi6Bh0qZ}IL-rpkdjCzS#z`+ z8ADoid_i=b8Yxbgzm-RKtw8de2stI0jolxV6h{^y!>?I(Mx7GJ<}$_kajS8$NLg(D z*mgtN@}kN1A=%WoZc%8GE^Z&T<4hSL`&OWx)oDAAl4tybJU(D03J?A zH>8Tx-5-=Hp48v~3%xtZz2;JQJ?h_d{mhTQbH3K-|Tpkp%K%};-zH4S)cbdWD zt_o5z8EywI<0uheM*>4OzhS*Cf&YAzQZlDFHf^Qu-yja?UyvOsR7cmHkTP*ThG(a= zkOw)RMm(k-^Iw~;z%vGly93npJ>$JwPzIb*UDw2DZ6abOzyHtT9v?yzN*a)Rl#&ji7AT@X zIZUI-pry>2(ZV<(iTMQKa8!^7-oQ_Ht}%fR5OS=gzIAZ4YjaVSF-3U%W8=n? zQ<)Y4kC;`CtcNp8?#Oc%*yMy>?(6f1(JV}9F*9q+krpGre9OPIWYVC;!7Ci3f=ocQ z7Ly$c{?v-H;@kBCh<~i^n=tDc;BivEO~ib=W*dZnY)$DeMuGir#UG~TWD+Fe< zXF9ARS7>+!hoTIwHVNK2S}ORvENoW!yhS}Nwd+w1xK#l=55icR~12%8NuMzX6j%QFuV-W zLmx5f!X5*T1~9x}pE_C>g71iv5DZcpxcSN)1SaTJ#pOa{l%G6>pweXr%K-H>qQ*0! z?6V0{U)hBY%O)kHf=&1~Vfb>vS+lp#bzsa?unLW%6t_4?Qj|9BGM4b8eFVlkTyMNr zr;2O?d)Bo$Qcx&tW~NA^tEkF_G76?@sFWv*-Y*=-z@9St%dl6sI8Z6h4`Ou9oxT)q zZCW=`!3OyVLA8w4stV-SQxnX9=ZSC-$j(qFDCOFq3+>bDtZUL+WbWBzO!6>Dm8uCO zHOmTwtNx|439dI=p?1QWacl^0n?d%^-!s7qmAO{-@QPani5nL6FrQcUrt>Nag+ScG^lo63&N_NZl^@K-tF7LMjNcTVDF{mRM$7WKbq z?^3Ltx^X0$3)zDgi`QL}1n{f_;D!v~g_rY`?*@EM@+BCM}ROM46KWKPdKuSDYsly1O#+ z`pu|*BS*-!BoRX$>WER*d&tW@jmINHkz5D!h=atb>h5_AQ3ytCaKQ6WYOVsFrWig9 zZ4ol53SQjCG5T92{DQFetn=Ob zvul#FG?Yl`IL`@<$n@u%uy2R-3p3kdR?<+n$tnkf1tZQDCNT%Id5lK#=9!vFP|{5;oe8NgGMfQ5|{mO_|7 zx#V10v*G8@dkZ-959*aRYlQk(|NmQb9)R-qGJs!O|y<&UX>D0=P>i zM~$bY@(bTprPC~mjMfQAOHC{&F+z5a07a+~-suWQ`N=>3gc+25kL<|I_O#ULbW@N= zukm~BC=k_zne!~CTdmh+q}A}S`Ft!u7l%@)c~p~wBB>Ussqi6Y;j&YU?jpTy$jNEm z@ZcBDhCpCp~5C#OHx=%{D0l+P= z(%%IQ;(u;vRgm0k4`LX#&bwzK5Ckv60agPlv%)wkU~NYwdfMMLKR1QXk&{S4&DGi? z$KRMtM|*y7loy*GfxQ0yaCbWRJWr(e^_}Q{zVu}uA43XYMuFT=Gr!Y)q$@-r29ver z7ePc|&!dnIryOv_{=Bl6(Q7PK?@@fZ6OUt{Cy0*8lK{Vv7%}UD*{turXxZk%&Phj1M9=r%o9O@l>XkDw1wZDGC1=*ef0v#8`^4d72C@b*{oAwr z{kn0YF=mM`j`0io=_@_LmtjrGwkPKJK>ls=H&Rt42Vk|>Qmv_L-{?>btbanL2Mxyb zv~+G0p_F-!e~9kWAP(BnP3*z)VzSF1UcdcT(oe3C8s4XlSoiZWPuq3vwm0H}IhMVE zniBKWIpA_n{6q*j9_MLWpii!imQbEq7vZh!2HQpAkzTan&{sart#+%mv+5h{wU8*5})D`<33VnniQdD=zmi0 z**7N5xMSF`*e7PvYv=NQdAYf?Etb#DXf`t6UBv^Au{IzE_ zC>&;!L_`;nil4wm*x@k%wh+hJpV&9XKPjSDMLVOfZO4IRy6|U&W#?c0@rxEOjgYNmTN0AgJEXOtgyz5-B$>LVr1)hsi%P}8FIuOXy_wyexE!D zSsN2%;qqftWELM~33trb?wS2q&F0|rkemL-X?Q_Iq8U?w{^MXzCPHLo@QztpqfWMKy3>CO@cYW@{ib z1&3#7wc24mnKMTDeT=Qp7Aj7Kqn4(|hUAOt_B||uS>jfw3Ad;XYHsieKVd!QlhwpH zc{Xl@P@kIp8d$YuE`rKuI=02XB`9QY^ub#*ON9n>EfZJ|e@|p(*=mM&YEVKx!hKv;-g0Dd z^6srxe?+f$%c|Bfs={RS^z=mBAv4!0V45iF{%4d*oBIkERqB2>YKtMah#$PuEW}$~ zd7JukqIML33XHD^f)bH)Phv_v^Y=vfr#lFC|0xAYMCL(K&=;(^AhX)!ObL_nnAEDCFe%C*3t5KlHSDNaYNrb53dhB@;2@^HgC08R9?Rd; z+&$9cAPHM~$?8;9TLNWGE&23MT~oM11rAYl|X?Hny*)@c*P-XRM}#W z*Yae?1?FmWge$QRX45~#nPEZ(?Z6F4w`^%d2JQT}q_Z=(Tz_MuGa6%u6SLGyQT!%B z4)0sZBez<*9erR|G8Z&grJdIodbcl|v*YI|_iuB)-KlYP*B!KMRot3J63=!!P6`-lzjq4hlBh>=MyB1AyNmB1sr%WH$ zsAJ_N0t!V*M`qyElf!~pkE{*+SF~DQ$&a4C zv0Zs=Q?<+C#s6-9_oFF*wsm&Q<&E?^0Z_>2peK1fNh)^*dRsjv=Te#xF>w^Izu_;l z%;Q#9l*xV?8Z+;}3#$HRccfdrp{iZ1aIcvxG;&Q_n62i}dU{31RmKV{t?N*}7ODlq zBYi$M`?TewldMfX*Ynsv{C%Q_^qcFUXd#z&eQK7H`>jr!C~-AkMapxuRK5-aJ8h*; z_i5vCuvqaDqf>d7X4Cqq+pXApyfpz`&2pL3ibb__4_Q%Noe^{Et9R?#6|FJB|P5NWa+kXaFM<;hHkmKK>byR!V zW}6GmTTlN@5QRB5=ByF354TT_eOW;M9FWz2R!%<>L)nUhwz@rP`0ia+f*?7F&BKs^ zNETigr_x{6D_kdWc$R9NVzIteCl%q9r^Q)R)$guMpWyX*>ire?X`od#o>?!*Jbn=U zm7(fJ@67jUP)Bra`r%j_h>j?-Gb`dtV(e{+b1a*_hM|bJim^LP4gXNBSUJL_t*nk$ zRmc4Mwsp=L%Neu$fMUGos7QT~TUiqegoV}&Nu#0OX)_mCGBigbxhMHOjVo3zOXb={bPFSay?m(tkCpha5B{x{;#=ZIa_@GSyq!C>15F&q|2 z;zy$d`Uz(1+|%W&zy$65s9zK~tgml28aoBkd4`FJ;Wk?OG*26MpPAl9Azp}r8faX6 z)m{s|5xzAW9S^+fC>My9qT2B`kN5Dpr}aCBYot+Lvvy~UFiTH2J#kculg%cLpxN=K zuujG;0iiqw&X=}NtYh!EH9F#ED&gN3X3DtP>#uXDN-qNmF`T9vVW*bXTlt+7f!cEO z{E#W-k0Qw62NNmgx_BYctiC3szS=m~S**5B4Jq9I=usZl>3*Uy+~4PNg{Tf@lBqDD zk@E-3Tk3s5p_=n3mkk~Omu8=iw2PMqLaKbg*ZHpB$)P_H#44)69z|k>$TI_j5kB2T zOFR_^xQiqdt^ORiw1Y|U$_CS^G_K8r7!yqSyHR;=?pwsO;r?@njXLFZ`4J@9~BuW#9nWh%6z<*);a zPhutjfY40y>J%_C%xev_ zbo~ZH!i@T?{O^%}q5N!Iw*tO@8UOyXi~cdv3mz@m>inN)E-mlW8|dq~D{~`Yh$hzy z;6k{1OHT)^nT(xdxty-lj3_lq?-I5^HtJX~;-+z?MAkdG?tCYkuMgdVY#2e!qFxWR zmJKurH~QW~|45pB@bk-)Fi&M`$vVDu>|3G=)8~m9F-PdQ!Zhq%aE^(kQ)~oR%_Gm6 zZvs6D0z#zY*cTZXmJeT;VExC6p4&vxsv`JgSPZ6AxpYt)xAf<&^Ac0ZJ)l&CzIUF1 zHH0A09PsQSi5z;B5{+rJOK>bcHxleaT#)dn<}GF-*xy&&=?6lmqgrp}U(&YOiza^tKe$vMcJ2 zM-wscny-zsbcxv-E`>dtwTm}shXg|C7~ycM211GJn|k4XH_eP=Mfm>sp|MtJa)GY9 z#^Cd3uq{~L-L2`RHs$j+R#bpuW|5w~@zZ%7K0Ha2n{Shj#UmvG>lNH|1oL1w8ThH1 z#0IC{v3+%?-{pk@1^&@_bwTj4^V1zDacrA4XHcw!!vmWWeqlB#X8z=fL{`-uYv!ax zH}bKAUIK{fK^S6l0<0V4)<*_*$2IPI-n7Bo1pcVXBdW9Y+y?VeEF-cjf<%sMvUmj} z*%0&|&E`ji<4&0ahYf&7ASRmB1Y9T^fK}*dApmkl!I}4AX*-LFG$pJMKc4f_q$Yi7 zlDk+uRdj2TLl3aOdnKRQ*n1%enA(IyO1C_s^q1w~FrG}#q#dj?$G7gUcYw>~*V9$j#MPFg5-V8q;om5Gfk zFgiMpvbU7sWjLMXVniB06KFQVlhymCM>H%FWMv8lWf+WuB!;?^#I-rH% zM^=}EO5a8krSVljz}|4NP}i6JC)@y>@M-KGw*g9Lo_$iBe?Utmy**hunH3_@kpI5b z*pCMPI~36x=b+dXr6bXxaZX8iD)+c>d-`Y&OrUhy94G!bA0+~Gwq{E7&#vF#GFfy8 z^oew0QlZ>Pr+M=g&bS9Sk5hg7xpH|yILsFo{&Z&T_D@}q6V9XPcF zDz}ed-uV~F^>fy;FgGo<%LWWAUesf*?SxBLhG0=ykruM>D^2*w)G%8$wDpf5O}vV> zq-tp)^EgJwv6P1^9;41!j=z1#JG4Kb##0j+HKa49Lld3s&fS8w<@4$$Id%Wy2y!G_F%qvPEq@LlQ&&8MbSvfA?#l z4#MisIiwz)NNl6?F__&sscuL{5})gP=E2Fc?G1pNU|FEi^GwoQHhF|^uD4oCnpZebsOZ4kn@K{j3H=KYJT_}lh3edK{X zCqBEZ1^kD#8~crx`onFbjf_U_=dYeq@y`TIGI_Rc0ex}1YpOKus-;%i3(Y%pZJbjr zkxMi;B{XSc%V*2N*WLA_f*WabT?8T9-EIeNfnD_{gSoukSKzVrtIr#e$uhllM{4Z3 zmun1?bzHJnSYXy4^H3CzX1;0I{AkF`W*fb9=XcKkVS0 z_{YFmOAm|A-8X!Gc(lV(%~=hCS|IcaC`TPaKB?2d)Z(}g+8wTb zdolPfIxneM^muYyxpuaunlvi*$d#qz({X#$O zTs`c7y4hBLbzE8AZ}`?9iG2-`k8^9%5(+%<*hg#NluumCRx|@tH_>bIYR8w zq4B}v*lb}vBBlQ3d}K$&mz594%KKU+-RF9CE8|Cs23l6<(^3CcMz!vRcz5i2VI;lz z+n$PMObSKu)XSJgyms+pozo0`z86~Zqp>|YHk=q+mXS%lC@w?QmT2FPu`5w!@|hPN zT=7KGA6uM~N#m66EYa9*!pdtYk;ZuaiK0p(Bad9VZnNzD)TUPWBY#pP8nQ*`*n48P%%MGiR~u08>Hwb zXt#mFLDHs*{POS`uUvs)y2YaW84k;;CfAlq98?dKdg-i9yy0?Ji+MwAZ`^V%4RtPq z*X|*p_MwEYoWImwX*GAQoQK#OuP3HBQV@mv#B_>(kJayCKNjuu8r}|aeLChJQEW*q z)M#zic~wZk9wX|M+ro{pxgPwAfikj(yl(JDmf@=@Hu&}J_F?{-`p$75^3gME<2z`) z?qx3~G`rpV`sil$aGCQX=`WrM_fmeBg-4m zv+A0MNBX=u{69VCU)}L}{J^Luk8B*F$cE(Jirk_gpJpFp<2FAg0?X}by6h52Y}tSD zdb4JqKqx`U{zK%$?<_5*SbQgGnlG|uLgoidQd98HE8&7?0$c@Q$oKGJO^_kUBGblD ze;p#??Vuifg|8m9dpZ3LV%5Y#*~aAd=nJUUv67+Dis3G4gi6gF`a^lRtCSqEY-0tD zA%`lP)1H|!I6amC^>f2hH#q-(!Ww@>^t&Low*-r$gm}&N;V*rt_3W>U+Sj;2Ql@R0 zm*6-QP!kkQ;@j`U#+7t`%q{9fPlJ^=J<3P5s(p2{u70zU-+SRacd{FOW zSBo*&fDH6bx7wSGiHzw(Gp}4FY=;aCJ_Ei_*l;Okx_x9Ta=)*K!uKB^_3XNvH}x+t z3LL`ojj@MqoM?-Ys7x_ZB_Fl-)b>ZeT(?@>BaqUc0+T zx@|w+cRTZ}WgDlmx-1r0wkBnbSAY9%h+08@Kvbs9tzu%hFeXp7-OJYi(JWyAC&)r{ zlPjG9brM3_gR9-KzKVnF6vfmQ&60lUgPq<&zs2puH75lPw+v18E6lWco~C{KXQpXQ z7q#xbAw2f>!Drbm(U|a#VLee>2l&Pk30Q^S<$GGMZ=&GkEa4Xsivgh|Baeg?5GDhm zk$vT#-LnQJNsgiGNtV) z==oMWd3y3xzS_(LSbtw1$`o-LFprPIYQ~wyl~HRZj>}$>A#q3T6t3j!rP}3N8|VB~ ztp-GT5)X_i_Q9JNv%4G-8qt|U%npKUtKf!q(bySjx##BkQ~&PL>IlZLuDvifdop4{ zc-Kk`XvYX`{HpAIorfK5KRovI-B7W3r1ai5k3NfBS+Q*@y+s7nr#OMuM3MK@2N#ur zZ0(JAR_>r!P{&<)4LslrjmxTibgHHp5A)UQxz(?Mw4Vrmz- zaUhEAE?2Cn+9~nY*%xk>JxtN=`3OXI;t9mKGBf=hqbtER5G6%#M=*(zy|<0HZ=}bu zWmdf`W>yinuc88n%qZiECkhL+<2sEHKHtudp<+udD`;B{j_v zPu!K+QDo?I*QO`e7pj**vM$dg#0Y&3+|(84t_)?WVdi2l`(s?3Y4S1o_UQ)&enq`h z*pud=jQSNO7$2oI=vHEMQsSQ#bx10dg0fo1=r4j15bL$^)TL8B4}}p7djhLFML~gj z_6jYSczkYmzB#|n_0e%#p|&zHs}+~7_`;G;@dS3n#FAK$7+^N^=i{^3;k@?*qmG+f zp|J%t45(-0aC1=}LfWuH!4LBXSKG7Aq&8N1*&@^VHm~y@xVTLp@=4>IhfBF#AT&cT z_vn{)H>RrmFq}Jt6zb-!_F?)aow11N=8(Mcj5yOWbqMEc++8;3zB#?q&aCW-`6#oQZFH)4G+YW(quYZD*Z1Wba`mW?d1Ee{%!d za6hc6Qn&b<90q?l-2EMCNi{`p&wU0yqo9Q1uY6q(C22x`U0$X%q~7rwdSP@{Cr!5MU8pW=4LK^XS!0)7M`16(&HI>I4=a@E z9_eFN<%Ej_E^#F4(7uf`0#(gfJRPOmdn!;s!BcgdkG_O6b$7g-c!isPqTw@g{rY;i z=>7-)?DPirkcRw`nbu}Maz$GRdhalA<8Y`<`y2MOr}lWs`IXQX8%mI3%CYqXn@S;l z4vnt<*TL|Lq7~t%iVNWjU2?IPRx$_zA+^A9`5E?;zY93nA1#q8_l|d1udRC!tw%xUAMkrhT zC2)0uBe+IvN&UZBg=^S_0bW0Mpk(vWnx;R;P+uF?RL?&7(V{|ldrymz;k|Zh!UcvN zcW*pse3FU{8w=hvSBIC`CdoB&g&X4DA)?86*&k#Od!9r(-^Kck;?XwSak#xC z3Te8)Vv};wsSivXi0p&)c;@|hR@xm)SlrzzQ@QEW2sU}){7Svc=ieRfH{T&2-WP{_ z&-hZ2#KK z=lZ@7Ph;HFn6T6N<*269t7hd3_I@S9)x9=>s%x^uoV0MwsL-lXVy`Q>NPq|WAt!l% z8SE(^G=_oJjAjbD2)P?7lOH6URkmqD1?G(~>%Ma^jL@10 z0s}^QmO4illq67<*G-s6!7omykXsJ9_<4(xysDC)8_Qqb-azu8a1QrC#cP2(>sTh$ zzQ>rMuNPlMn3@}$!p;;hAn2D}#R4gt;+DWxTjV-KJ^)Exr*18D9QQeG<(SJjQ9JZT zkaYt86I#$`F2X7y;UhTkXS+;EKwO7eA?Pr@kZJ5UPPg0nKC#6?(y_uOgj<{ zy4w&uiE()`ji-ZYlLJwGlU0W?jLU;*$dhW@FGaFjAuh`v4aWCu-0#bX(on6=2LPh_;!hEce|KyJV4-IC|yU_c` zI83%NBH^J{+>>C!!yO6*ha9s-MMRGNn7l=mAgtrdQlo&PSM(;AFhmo$SQMyIWAvB@T7@jjmD^C?=W+jW#liNc{-> zNBXDSp>(jLEIZPt<8CPNekxsRZ1D>)>XT}RD;lrSEe%z40nJg^P8b0xEa7q?)|1W( zTc3!W$4VNOS!eU8ok9*6!br(#V^=KgePf>pR%2wh4ub?v?^|>DZ6=?=#dwasJ6J4w z#$E&tDe+D|%{c3^C34iRq$(UM{@U*7(4Z&!%p6`u=p6lM+gwQtvmrW$-}TrC4^L|J zg|QJzy1v?VA}7E2dgwB`in0@+N$OaQk==fLWOMsE z&aDfsOH?htD#}PX0XfI!&RRp#)*k}IA8W#`^X}cu>r_o35BDbZp5$d-AR*stw*g1i z6hdTU((f$@uV--oiKA+bTQ!Dj2cpu~NPbX*URAPua~YZG0tMd->~=OZxKf# z`~keBjh@mG;?a93K>j#ujm$C7(QfcI*0$U7NRz)^EjZpU`3*g4X`3v#j0g% z6^OApi%3<22)k^*kq4S}Nz6nJWte2F4z7TZf|m`IT20)k^O3gC57x4h%(fFwdI z_0X0$mhx7s0s~%Tmc%Rt06<4dAX|K_BfVt0R_*#SR$uDHlonD&-pj@zC>A@*dCQ&* zq`r2zchJ!}sW9mpv0mhP=1SG2GLYsJp1$u&(={oBblY`Xnhj=w7*z)yuZs0U5=I5d zuLzc_Kow-`lIT6qwMe!O(+`(L#~`Vm9cFs&9*HXZ!;Z?HF|>L)#1u?PV7n=&RuNFu ziLkEH*MtOvZe1i+-wcLb^EVC#O4Nqul@d5z@&T+TicVZaSLr2LIjZ_VFjXWFFtDY} ztjMnVykKt}N0mFmAtj8j<*TO&ZMHb?_AD}aOsbb6bmhuBTUSHjQvHs80E-$JN3yh! z!dd{l1PuhumKekwQnragT>K0l3!&~n=e#dJCv+CzO(wP_t8LI2(R41;?cg$wuPZF? z5&{MYC?TQXcOv0J@EkuDxRnBYYh4HhRdw)t^>vz_7lY2yU&okT?Ab`uFcceVo{`uX> zGu|jd(se^FDYAIkFMoLbt_>A2*i*RH?-25+)xS!eHOT6ouPs3(3~i2=lT87&xYo_H zf~u+bR85bxWp4+4v6*{a>*BJMkTF5*FQ*q|gqyHt21I;nQYbBw@=yU4?f8N`hR14# z9Wf|<%l4rv=)Y?T6UwG}!Ml2Mt9Y4$$SxnZzf(2re#d}1h;CV5EtD5xi;jbeD4}PJ z?^%^CCRcWeBJ9Q0wCynWRS$Q)-Uw3@$>V;4f&oPs70I0=oNax#>fWxWv-WNP4R;XV zBR#7p*}L=os&k*Fz)cF^twuydMk$oE8eX9m-pN5F8~HEs2Y3YX5gdAnh_Do%b3g?Y ze?ay`&xpeHJv%#p9i1HisHMzHEOz0*tDv>Ox!F|33^honzxVKRICT)5KdC51s{J@}{DU4Ap^HIfZ({Mk1Y!#+tOQ4Ach7 zgfZB+N|Ad|d<+H>E$O}NsF>>%LXI&Rqz78I4zh)$z@0b(g4Pw!=^!2FVC#BH6s332 zF`AAPCb`+b(DEL|-cZTHos4L~dK7~V5=4#=q1w?`&37-nt}7~?@|OR-aYA#A$*ck86|Qfk2}wepz>5{LJQ)aX@o09*2J1WCvgx8>+iNZ+fcVQ<8!8sT0X z9(bUwGNHHNQAg+Ho=}h%ybq5aofrr`@A~S9X-4`$W(f8kkRd=#myGSv8G>3= zK(|KAG1rFbQHS+A7ZI&S^rW*FU7E@I+w00ykk}@2MD(`owe{!P;MeC7c5gp#|kQrOEBDg^A zB_2|lglycywRP(P-22r^f!x7!TR-15!Y3qOzJrYQL}|Iz_f->js5jcQ5)U{LQcyJP zcP%Jd@eSbGO6Wiu$oPtPvU0hCQ4N!|T}}IzsqJXyXygtlL~U{+oEQ^0UpGwMR=p6| zZKhzG1*l!ZFxZQwPQ`LZU}|4es9lks#!WA15OmiOkRp63PzAF1A6}jt^Y(Ib(`x_j zYx=Tdv6?dT7}Ez{sg4qyB922_M_AvHHI0$LK{$FZ$PJ~nVlSUtPl~N{pd>4oAd*q^ zfSd;o;}z*w*gb<~dKHTeTw650U|$Dh&$t30;wQQ08`KqN(c23?O6mBwe?EWn7NkB* zt?3IeX7cKVKSH>NRYAIz_$60ZNEea#qGL!-e@AJ${pR%Sr#H#s#kv0Z%m<25QB+}&0Y2OE|rOZ&vhOu(=N_2%JG~l>M z?1wJt40a%t$6nI!;#nX}fm@18VDbkMS25=Eq)7eX>G z(yPKX7CxO(eyQp~0BVjV6@~fS478mC9!NttZQ}V-DM30AOs>an5SD~?EXORTXnm)q zo4Uf+l_gXz0S#_LmHDCUnx4e zmh3jF+u7kt_VX-TUS3L=xxtV7TEU~+XUDIfG2SI)P|71@g_J^V)oc?1B_PzxR8in2 zYMqU;aCMDTRXkg7PS4*-dT6JjIt>77w~-R{Dk^P+LV^<9J&nk%0A%g{@hn7N*cYvZ zj-3!WA0V%T0R?;~sQ8ulstJlyj$lK5R_w{Ze61fr6=)P+*$CDgxpEzFXH?9Ly-~-) zbS-ctL-%N|tZE!L0Z|)KS6O_6!G5P8I9xezX;e|2NW2@m1b?6BFlq!{QY4p4rOUTW zg62svoayTVv6 z_&bpU+EJEtZJm>vjxCiM8`~~bvbh;3xh5LiEE-aKIAD+79R7W&re;ey`tLR9I@$F@ zhpZM@*VKAFI*H@8#yaOQCAH#?=HanDr0%Vn$w~VUfDqdgBrnyN>RJs`2?U!OC?Hfc zuH+OnjVg5Dgjr8PUC!7wow1tngl@0_nzU7J)rRR>>L2hIj>ph(@CLA2Ak~X+C1egw znNMAM=4nTMpe8|A5}ftyEgQ@-%}e6C3gNEo5j^2h*K>DzfJzoO8A$zNLqRpaPK9qWBIhI2HC(pE2w=7vnW z4E8#r+~w7d{Nbr0^#@AF)fN7*c1*R1>qBCXU`!yOuPf$Z?O+}m4pn-DL05VNhZmsa zemHy?oh*uM=QvyJypqB%bgJc1LqBrbvT$#;zeQ*UE9DD0G_10I&H4v>40#WG zhaJ=Ceu&tg8~9z)w!_6X<8chm^EG|v&=J0^bt}vlb{@92bpp_x<%s7avcPVLaQ%cm zQNW~Z@Jdhwa*P`0t$$u~b+w;EO`9kPY9hJKiiu zG)4Nl3d5Kzj$Yxy$SGYxeUufCAp@p1;FGuwsOA?t9DlVgE_g;|HO7*YbO`6nf;oV& znF~&;>FRYh_}cc>#?N)u`q1^Qdsi|xZEg85E^MPfg2nW!1M1>hd8ve&t5#ngZD%Wu zLMOBN4fY#$iUI2}O`zsz;jgIRXsut>WsDtY3WV`XxLvHTYjlHq;gQ8v@gSp%(**K> z^`*Q*mh4k5`6EFJ*Q7<-(5=QKURj%9ik?BdQS!r7MlDuJ<62Bt7Z7cB2)0*S%)ZTc z)|QUs^iQv20vaJ7-b}1L9|qzDDs=3KLGUoC5-j8l{rwJs8y~dM7}VtwU4U?(nqXRP zq`3$hz_)E@4|4$MMS&9FESS!SFq-V**%u7Kbw(vJoY7^4Ly zJ}Uj&-JzF|zBGPz;a-h_XhX40F)xOVR7`fGpLsHvYVgG3eiJyWRausRD1nMRt5abX zV{U;15%$L(N}GeuFkk4w+4?nK3Tv&3j1rjtynDVI{Xn;1Cc!7%H$OZ>8}%xd&)AN-c8$7O-FhJc4i}^&ei_XS7pGWZM zMF^#XnWm!pt&DrnNqy;L zhb7M=p(6h^zC?H3)!m8$64p2zy>fZ+&(f?9fiK;y+KTyo!xU6Klpq!uUFqLVp<7f> ztq3s-)Reew%BAh6o54F9Sk>#rMIxqX!oawBw4Ll;?uy9}_U%@#18K-^`X1o*AjHHa zm62op%bgvH3r7SghD^D}B^MBy3Hh0|z#A&rjq6RmpqdrEsK*A@&jk)BY7J}W2o!Nj zMob00NEhfH86K0f*UzILzvBx|PD5#cX{DBfTj*?jsuFL`wea_TS;|Oza!cmF3Gm#V74zm_`1e$3;`4-VJvew!zmRp6U zhXio%ZmHhvrk>TIC6WPg4;EHwR|eHGxOJ)uE7yI>u)UXEhPd~>- zN`u}145pVaYYGyEp`?+a$Z#OAYBIae7rR@{gz~Y=FKDlOF*8FWSe07*9@So2lC2NK z`37oU7Frc5bWIeqC$R4dRAmw8SD;h{jSFfGM#Rl)=S|4j8UOWbf-8r*UlF04T$Are1(#?n)Hw=+4zX%?nM;8q_!gpCdx3A*|ic z{`A?O&LPkxQk3Nv(fLn5?7ThS*~9<(hdV!<+24(2daEku#F@Ou5R zTbOGYk1I?;L{+mWnBJ%Y6MKx}-V}Cp6XhV(Q?t4o%#GFab|w&G!w+uN5vIdqK6i>| z!mCkFA9}^LosL#i&j!IA>{a5~s|oI)SN*2n6x_dBkp{UN+;ttMe_f!W*7x0O$S=s_IlDaI4|Tp_w+&Ur@=b zF6npD&r$sX*U_j@0~fO1lWZkscMM~^8Y1FiQ^wYK5F(SWqsQ>W>FMCof-a8!WoS+eS_-gkkNf6M90jG3q+Lks&zsA=kdYdV${><~fmJMtEj5GgFW7+0%uZ zBk)G6@Cd8|f-Ye;g@y;rP&Nq^c!qelVz*te>lgYEFClKhX_hXMBtr8Yw}Jd1`b7EB z9O%_K4mZh#*t=9}VwvLKEH6eWY=ySN^sqY=J$5T+dvI}o;g;m^Kc&@TBf4Z@VqHj! zO2GI=G6Ge#_(Qxk1W(om#iUODR=@ zWODVSLe?5QGc18Oi*MsYOc(G|$EbDNmG0*3KE4v}bmti8X{%L)0Eea;?=5t`V^ozr z+Ogd%`myQq;1~u$7K2L*_5ZqHBGE&fMi>RC6Pi_s2#t1E-LuVFJ=Wk@ zEk>z$Q-(LN)YeOLhagp`j0$K4v0C||c)@5)kiukd{uaxs?`j#Xx!ldDX{L@}Q`%#^ zM9c1}=&KI*kR=%R2%Wi+YH+7wd2=B-EqTS14EGtL`Kh@Kv2X8nJ^xg*ZHt4R^Js7f zv~?^_)J1X?XA>a;q6S3uItG_ZG{eUYtg;=*ctD7uB|I&e$(O*{iu|&Or-onyW(D~S zJk2n`s~*zI4FV;I)5b$#aeL1@fB`w|t|mx$QnemHr%E5bLcqd7GxN(b9=?j-BGN#E zS5FA8|2d#)(q@&N+j+6;L3VoEcd`(Sw8`SzbuV^e(HNC&AN$%MpHZ<1tYCO?SQ91p z6CKV203ER;>yr18f3=Bk(Bx~n4yjQ#SvrF8to+F9IM%F0VO(l`c-#EA&}J@yhGmZr1bWN-WA!eIVrt<<)pk^aZ-+H z%;XA|joel2`a4sth0#pe8N=?X*;eDnq+}vuHNJsK4&c9WPHK=2bw*SETul>`mvs;? zvpH6%T(^Q_XD9Vl z5vE6hxK4g6HY3t9o;JBDaa_l&{1Vp_o6^(rmnOZV6sjFjMm9xSgji7^RlEW`)c&^vVPB zV!&U;+wwJ9J4)Ub^Ce)GMQt%l(vrZQV=7Ly4)%4;B09m~R-4*i@q&Cto`b-u`)%XQ zw2-jU$>jQ!P}Dkp8B~x4QnAL+2RVP!vD}x9X4_ghjAbuh=f}lw`dMyV9~{J zTl`ZMb{!ahjs4I`BJzVIMY!?KmIH$eJrq@)B0=oT%habigBr4unn`c3>GHZOLGuC9 z9aZv-7VE+;N&OOK(g#R`^>9gw6Q3Zb635xQB=E}E1*>wN3XK^FnGH#0d}(iovNxdA3WMivlMMU5p9k@&F;~B^uA>88Py> zlTUU~sU^%tR3So=BgI8DOZ7zB9fG%dhz21n?(jbw7*<`bP$}=8uf)Y1I~?jW z5$Oo>JX-cCTLaANK&+XU;<7E^9!W0(PU0dmuZo~=u6 zXf@EW#3ib!dB(ko0*HmeR}=$n4S_8PqSn}7alY4JO(44x*OyDTT1N(B*qlLN-ku~J z)2h}Q)`yf~g71=!C*XCe%%wFz;0d+cyMu#)vv+&@FTPpO&_-a=744NnFY74aF!XH_lpDw2}116O#oQh;T8%NA^xnS8;kAO2~HmJx_QLEG9b@qU)y_=t!L@V+=Zee>)~d;`AU z$~PFjbIy4c?ZMsL@F_LC!s14xr|~pe0iXS8u;z)-0QSI(l;eZ)z_lpTI1Z`q%{$|w z`c4xzJbAj zP4P~3MOUC07cmBSF%f2J2Eh%}dG#MzWJ2IA_?%ls8hiw_ogAO2nbM4r3xJjAUb!_G z5^9(KP44f0<^J|Vb;S^Z{E|II=5n_>MoRjPV_zo|mr08~f=2^kq7Q51t;yuXUR z+%7eV&5F~@yFU1#fw(jf6NVD**c3#9VC&J+;*#MWCS8N)m(UHPD)HOE(<>rV|Lkt` zK_=Q@xD^ylB$b!o6ohdh5JYm3 zFxW0`+$K>4uSoOFe1kSL+MP@wIQc7YCvbBZ8)ljTYeda<6DmyspmV47Y-~6h8 zH!5a^*J!J`#ZOMnC#U92N+3%ns0>0tNST(I*7aWA^9VVpk2f43!{m5!Bq$Mr__{e^x_r%rVnQcUWs+!Lh%fA`w1}8)@`TsUW;DProbA~KqTlg&fEZS zYC{i~%fXq1W*2$4X^wsn$IaB5nW=V;lajklkETUJK$Z{cdNPZiKO|;zHlE4iyYH!Pb^30&*~ytY}8? z)K{a>iSQ|j3M=A&kL?smS@zN{3<{Q79F(|jS*lL!2;7nb5L0; zmuS2!1m8ZZ<-p)!BSBw%n~O}T5jwKCJ)#e)aG&5iJP6PKuB6#RpbX4Gl@ z5qDh2oC`JzFw-v`K;ODLH8V|w5|*2^oQLi9>Q+vFzp6Sss^u*QN0nwg7_`|xpR}B_ zk3Nc))6?@w*M&LnKW@VKldiMEh9}T4?(IC;YrI~wRf|-K9Nsy&s*Fv_oG|mu3Lm8}3iks^UW7aC0Unfpj(2$ao=QC|Q zyvGz{%yt{+e+gg&owWAepz=+7HB8CisM7QY!=~2$9_~FWwJ=r(NDCVKxbn$bjgXq1 zGZ0O%a+N4AVTCSR@zoAXy;>+HI8jvAFj*#rxY!a+i~OzEWBLr08&b0@Rgjk97@;M_ zYyo^LKVy_6R@3Sj)dJs3!4p+`5Ls(^f`Bndh!eaBw)3&;eo}9pL2ul;W|QrO^qN7r z1t6Hl4B~7A9i<^V_+=dvrD2K&AY>=On%n5avWFp0R}TwHln9xUAR6^`cy1O09Rn;4 z>>ze!{rvM;{`u!v0{On7x*7|Jy76TOmk%D%jQrUSyA8>O6(xLMRW#?)E6(D#??|V~zxDz%`^?4y+-e*kLU13e+7E z1EX#_sc4uIb+o*yaNxso*q%hlu}XRVHn%9MFt98F-Xh1OOLU7uf!^|aWQ>=>Lg|hr z134JL90F!7ehj;>&;7su^MC*A|N7Ve1NtS9|E=;U2$FX7P}x*mO}vGi0z|M#ttkkF zbxXq|+R!TD?gV05%5_tgS5lhz0gzPV6I8~&ppu;0n8;qO*@FrlkFeq{Rf|IiEpC`t zAgTDk3nbVz;}~cKslt&KR~%ZF=kp7Y5L8r*tTah*zWG}U=qyG@CC7KkAHF(0Kl}0c zSM2C@3ec2f-mha2otgxRRPvjabG71C5O=C?&0kqK%Vo3~t5HHYY*e)dE4uGz+zgWR zmw-(2p`vB*WEQm&A3+{y`qd@ky@V00?nwz`who)Mi>5kd33#W(34xCPAb@vXJ_}H9 zTrNOdCJaj!>35Z}$z-CPUlAO0;8FJ==siWLN!koi&8e{1Euu>(EujOG;+KL&*w`#+ zN&~Q&W?C~Mj)6^23>qvIU?}Sld^WVc=N&=C5l|K+YGtmP018FwlY0V+u$nc|pMo8B zt1BTq4_M>Bs-{pO^A#BiByWr_LgtJhOLEzcRYuA_L@xwfHSX1%$p(Um=)*MoLdulB z-V%f&PSe&mjDv|;(trRcy@<-M#9U;frP9u>UZpLe!-3L5GSsqCkTiabqd9I2W4v?X zq|ale645Kc2SXteV5NY!UG%XX;$rrW;41DZ1Kgh)-598MA)*!S7$`(oR$xb|`B5G~ zz*vY+lw>yRHjK27>$u3lXAwLfn<}l%d?PEE9FYE?Zx9hONmlRG`BdL8@z0}eGSxUT5HAPpM?Ru3#$q4@2guzP`%EfU`4X&JzfwR$q zO1bVfE~0w_YW1Y!`f?7{itEjRo=NW2d<_QM+g}-`t4ijijaG%q3#^lXf-IuL;0x=m zJkr((ClnR1Y9w8z3~Q#f<<(T4`Vi{6{-HFXA568o8x)|w5-J8Jr@tk6a8IphcaAE? zN)QF#=H1b6id!j6hM$E_!cCfrdx0e-ZtU=s!gN zHTsXye~SJo`tQ+ySy4EqK-=J@!r4{7RN;{E`tYh;>*Z;mjdeVYnI*lD@Hik3IIUv*fBjBORyy;m<^^&iGw{# zC3|7?Kcvc%+IMjAgLMnZYGuot#wd4^+CM92aRv_=lSA?>JvPklOQ6Bgu*lmyH|Vjw z9flvSV>2ksKevvm#+>Cja`8Sgm%~h0Uf`k9UxdpRfIV4bicGGQRl-OeGcF=#0x5ex zC}nT;Wu#6}C*sHjaGd_OyT5nj^BiFniYDt{y*USKwV6iZ#p2-zSc$@h2Ep5CUvXJk zi>iEdY6Q+51DB?PZ7~R02w&0VJF8Bb_-` zy~tUr@G)Bw1{U*?wDA@u8FE|v0`-UU zXMB2c>Q=v4%T@}gg(n7d?sH|LS>a||yMkJ6qis`vWiw@i)N;)#08#CMHY~qF<9p= z4mi06lmw5*3Pf-88uZQKT_dx9Uj69!51t4y8*Rmqn{>xPus$>o2>=NTv03TBe^}* zer1PBe1czLEAxWD;5F6lE|5R`}Xawt~zz^JP?EuW z4ZktGS8Oolk_tI9r6&h{U?FkH#Zr?Ry>^(rT@5laSPcNU49BKE;)e*1E0zIpa#$#h z4>?SozBTniyuB7C!2M$Msk&eTpJ8`OcGYep2l^NG*Q7v}u9Z8Dsju?}hfv8&h8PO0XZr+3AY zY&3Vs4wV`_$co`+C|-pgCmR6)eqgks^BUBi5HsXy&x0IZN}(P-niLI9bKcYWb%uC2 zfn^BMDtu|9Fc1wv9~4)3&xn+qF{A^zQ7;v)>k_X<76THStWEfJz`_uC3HB~|KMmg> zrn*h0B~mhfH@)QfdJWY$Kvj#!8!?5x!m4ahp!+zx$@#jQj*ujW?dfWut*g_6=JDg8=DHqG6d8H>ithl z{#b%{h>9$af`A8Mnwnp0{(8@ZmsG=_8E&b8hQ2a9Tw=1uE}Wm@ZkP;~Soc{BU7=dI zj}Ffa^vNRn{V%Lx>ERlWk}PRvMVcP<8N9p88(U&%6@5OsjQ;d9mXV33{`_V1+WIRv ztzOd~yXh3Y)DT&1L1)stZF_SjI#IOum1g!%bp(ec(M+@(8*FU}8NuLdv;g+Tl{7f) z9$>Sm?UK0}4~m*GnUK2oQ$f2*i#(xL>i}Pj>KzP@T8yUJ7CLImPSpz-Y14MY*&^;~ zABhmiN?SCh0|OS~>D~^a-3>5~Nx{3{*0zw1jUxRUe`r*DN6NMU>$#!IdB4CCQDK3C( z*KMhJ)^G|TY}gKO9>(58J;gfu9#w@wIbwa-tM9MA}8 z_ix^V9zp;H4YxTkm*Fi2Eg22HdG3?k>qJRag3EKSSp^IrfcwvxM6lyc6$XxQ*`vyu z@?|@Ep!b6OdnSIl&IqJ-WHll?sT;PXyGp{cs^hXbGP21w&zx+L6>D9P8G$8#0&=d= zSBLa)@(h^W2_hHIVtuN&6GMFdmhPXA3*J3#qS3t)!J@ZqFI#^%=fC)zH`#~B1-F=f z)_ogkw(5lk#8wJNlp z8EI0DB!Z0NhhQ28eAP4#V-!Pqs7>R8 zEZ#I(9W<u^4J+$ZSNoXb{&GeF^&b%|jUXdx>u9Zc_{Pyi2?g)ta!x(ditm2ElREkt@T`jnoneyX%ytE*fYWcn8gyMnKug*x7w((D+ybbS#g(WW!4IW?t=FK zVErLk&F=PPqc3piZ*9I%H3GrFKG^qY4(jN9f8;N6)Rj(RdzWdG*;P6^A!ef5&EVeD z!KLD~cTvLoTP|hqQPK0>fUNi=zzLH63JWQD040UQ$goZi9x!|Ec0mbiYZAxK4?rh2 zr1bj4jDTP6CjVEMe1eChQTc%i#tw3Ycu&S#xP<1CsNV|4pl?oHwR0ph+1JfdU#Un3 zIthCv<3hTK?GRiIE`$2cwlsS&d6AjLy`!zTweXQ6M7{*Fm=*;%yBo|DZzPmQUCqKvyCq2Yv~=G*=p?hIkpP>Hixu8&ox80= zf9P)OOpacEwe#|5XK!!s@JVi}>3%PwyE}DADEGkZmp<~xQ&!`K?@6)+rmYgrVc`i* z_j|a>-Fy9&-|L+>F^8;)T3>$n-o%q6+D!LHrH?-u&HIqMM~Ovkl+F*8u5B|BBbM z%*HO$V#t_OL|S%Br@RtlnYSy*n>l~j$?~r5%XfJO#Sc9;FiMXg`4!Y*`1^g0`rN8! z8!Hd2ge#WC`wHYmf;X7}xznc;*e1cF*`KG@Y?dP-VRgP_Kvt)H{Psts3_lwF2Bs&? z3%jh*8B|}ztTHIHmuMu6r)6<@M#(kEp|WXoO?(fgDr=-ogOKsEideXsoBq7`O(Ki@ zuHlMGFqImZY)Q;3s{1A|PRiqD{&Y-QDBA})Daw#l7bqv`)e@>wqkFqR=UEM~D^NsE zjEbd=#oD}$u0UYnqj--dAq0jZOE+GLMU$}xmf$bj;i6G7heFLscGnC9R;rm}6pqwf=x#(?qRiB)jOgS`SNx;ezzE>F?Kz5;yxlE5G!$u?hOsw$AX zoAJA)h3GUR^}SD<7=G`dqyYEZl9z+hD0IK+LcCYeX!qN+VMU|eZ)-#<8tr}~Y`%9` z#@5nko8L6l+r7tylsj!GzI%@gS}|>(=hJeZgOkR$5Fs`4qc{!pDZss*0U+_)|hGY*}DQosirg5zZRG)z)DHu7sJjf(AZ(m+lK3? zQ1&lQk4T&8quv>IFDv6QV*Ei?Of3DuQCzpvVSkZMznvmae?y9Xy z)|Cd*Wm22Gt50)O1F;q=G&EJXCsM^jq@vMcalPYK-nyD#+Ob3}0dBKy7aQSX3@wHJ zTI(jv?eN9qKvvTVKY*BVh534%oIra74NX7=0$<0Pp^%%1;(K>U!K55F|I^2%PxNPv zv6@y4kk5K}MYUfz&qasc$)nXSkVXb)pGzSsOfovfTCNp@*~lC-tz{ zLx2m*^h}{0YE^4Ckx2uqO7v}W#>#0k+ZSxzPUbKBME6)J${04u{jA0-rBD_Ffu|kh zD;r7395$T?Bw9y~hba=Jw_Urt?Eur;PL^#wE7E>ecU9}u!vF`oJU>zJ4?LRBC<2+M zrLjDjxlrt|o(&WSxQGNVVCSG%V6Te3H;mvccNQY0 z^B-90?S}~XHE*Rx0O4RS{^SDiR27EpTAEQ@h^hZuNLjk7Z}rVa*x2qPQ6F%cfDFtg z7dSYmxUNbwWcQ48TU`L+QTAS#c<2jASO}@wXDiR7j)hlj=7TDuhIM4s{5&rhj(Xv7 zo)KE3A@o{5JV%woa1pMC%pJiX{iB>*Ni$eYfag7H$-^jst|uYy8HION5^b5xO7Iy4 z_SA#%%y~B!+=-I=eEE{IpPjMN748Vav)f9;OK+lS>n2Y#yx5;U=`q);5Y-uB-IxaH z%^5^zQAn{Rw?=Vik0xJa(xIl0)222!7C!bbTS@JP6tnmEZHcly-g8#);x03*=ctjc|>! z@U=V|=n%?pSzjeY-0!5IpJW&|o%T8pAk;|?Oev5F&yNxTXA9cyE0;e*crC*m3k)a| zBqFi=SyQr^JbC(CRGP15`Pu?zSNE9ARh>u#LI6OJz`;eM&>&gNfsF&0K** z;0s>Ns!nDhp|jndaBa( zOY~YON0n%^{=rt6n!>*x*RpICrHI9Ok-arPS5i8?G?S@`1q4&X&Xi?@zfmrn4iP*? zyNmNxnQBFVA|;@>5Ub+}?V8hq!2OHWQKzp) zuOn_5`+=Zm8UW66-BU=%nv$hQ+O;mdl0O1wgT0J7PYBQM1>%al(}-XBxW%i|KU46I4n zhP7^Jm9*j>rptD@P&nZobLxAk(1N)ON`yzE0DBFIFKbYaKi&cX!6$m-Y*$POs`-lk zV!rwQW_3MbvO?n3_t}6NU@6%OED)KaxL$esu0C8{Hqz|^k4_BVGcn0dM{Kg%?*T9E zt;9xPjxOw6tl*6%#;7f^>^(5eLHlKLX9zW;Tb;aF_D*C74)whbspge zQYTS~zK6#mVJc142B>x}au!hW1MDPq`$w>(+&0a_b9a0}4P`2> z8xfaugX3Q^ga=;I>2%WuWiE8qkG1nWgXd@!aOX>9c(nVzLVo#KzO__@I7_3(K{(Agn0pAnNs4Aq?bbGEv^iHr98e6l9X zRH`-`Y22*EmRKVznenJ9#&p?`*Susn$m_`S)f4XFHXcS^SixvLWiBqK4o-{eoQU4X z%gBlc`PwB;ge&<$79r0^)<0DcHMwksAO}H!7><$y`;655#%zqPl}L!W+S*B9MYV0F zx5^El>aSN29friBhskUXREMq=x7*q|_F|V0Kung?;u5o1W zBh=#@t*d%QaU}g;k5ApbL2|L3zqMTZeLp#ei%YbMV>F%WB;t8&TIb4XS36Hn{dHAk zgG+h~yj&v%+x*Z>wk#3?s;wx8mH;9B39&a(% zXvQ&`==IF3(=b?B@&585P7&S&EheJ#O@w|gku8Rp@eFZtN4*pwBFru$p>KoGkU`R; zeusKplZoScAqY~89D7EPu(IubwKI9K|jcpPUzGq&A5`S>VA+&=eQXP?Hh zl_(kOsCMswfRB)>U)fDrHg|CJ0ccMb8m`e^=}4{U51t63QoxW+-|OY!WxeIWd~=#E zi=wqgkD)i70CIK67nEFbG<~hq(Zw^*#w0~w&A!R=mNhb#H^R%-+hTfIj<~XL=-SNl za_A|o`@{3n=q|@IP5l;C>cf+N-4|4r!}DtlK1*Gf8VPuRN8F}kPjxlv*^QU}Y+?B8 zc!}+a;cl(1JCPcsvgDm3FCKc}t3~7SD|vI*;j<)0zB|XIr#H$dzjE!DAwaW%Q^rN( zy0>$izDDz1(s7!z21>U8l*C=Loj2pb*#WQ8mY1^TPx<7y=*%THLg zK3Li(g)8i4F%?ROo~zG%O50M-&UD@RyL~AY(aPH0g}7cq^fN-7Xf)x*zs#<#@Zw%% zjG7S3Au_SIL89T$5PhZqJ5L-;CC>;xQcVswW50zVY1xfwnc|i4R zDelL(xw&e+D!X_GqU#iq(8wp^Z9ef@AQFr7OUk3J+s`0djXe^A2s98)j2y;NneUMj zHH#TWnxsFy#74;ltU*}$6G0`h@I?qSnWkWSXpyzS84j;_wX8M}vpH$hdiNWWP+3 zr@F&rw7jLcrG8FpcKhj!x6aXJdJ8|LHDtBJ;3u0{&yG5-?@(YwLB<8B*pAV-oPi2( z5}nYGHJ6&)rUk5PXxTQHOgZuSLr`d#6&L`xeFfCRd;siNTk?)gsUa)Hh%B%#0mmK= zZ&5z6wnksDH(Pn3O~U<5eTEzwpSlTRe5_J|pLGuS8Su^ZY1S1W%M7mPi7hc(+}nU6tGs}Mf3g5NxlLGG6UG`+Kt+;^$i_&< zK!PWHlc>_TliSLK(W>Rni8F~iaRGaW8z1)cxq(ytY@yzuyg1_#gwOFKfJ$YM$gd`+ z-qF}6%a{bITR)P<`2cP$H!=@GIME6$RA#EXTRT-iaIp!evP5_!rL?sOjRPL zu^_!UOpY`fqNV|xH2UTvL0bg2#p@Rq{j#PFU5kwqjIZb;6o|H>0 z#1*uA-prS+Vj(-CgF6|Fl>-LjJg5oyw*3L$4*7n<)k^hp8vLp2$KFY7$Jy5yW=ER) z#1HeNL}4$*dINP7OOOsY5ylH_Oc@mRM%HN`SPiX#4s>FVT%YIL09+o0rhMRI>m||5 zHyrbyc*&C@hMn!;vRpl*1PA>UuaLOMM+hjc(bG_oPh^mVYBrperRF+bWi&DtD%gT@GCfYq8+YlwY)kimn~0t9Da=_B%U>vw7da-QH@df7c{Ka!+82p>>}* zaL-0Hsb8Os{pm0mNf{ryCYPP1U^Y2qfKStIoqvL%FWy$Z#N#h8Rqixg9w$jhkybX} z_c`foB)QJ83g$k}!*!4mp{JZ~)dr4#0G8c>Hv=HWHa5B~<4&M~-7t@B$1~|-?COZZ zp^kzaGguFCC&ORHfAlA zTo`Pz!jd<+EvL9n7&Pli$aukC#04`}qp!)lcA~ zi;5seq=ijb^E1U*eE#s#6!}FpK-ca)V(P6a^=2$owH($DL)2{JEX$#sNUegOg-l>A z#Mc<<<^gpMGssI13?73QWOb;@6HWB*hrn0`gb1vkUodHEeOfvJ=VMgB_%Gb;~K&NWcN1J>z#hrYS;n0q@p z>ZI2Eu)+XE6=h%dcXn7py(ePz{EbbK3sg)sEjRv&kHb`gh3#wr;=W_Ik3fSurBja} zW^|-D5tVBWyap`zKnc%BpG-vxuQ%wi7kJ79u~vkU!yAycLbLviDb$5<8n%9&zzA^y zOkuAdnhv32`Bw&qV?k3nJ$mxjN&8K+P&F{-s-3pSc_l(?R52o8gM#XuFXZkBMt;&c z7TPcG^Ys`?clz)9!{B?+)Eb%HeMI0@%ereXXJ_5qNQxY8E=K++;!QX2m1m~L*}5ot z&lADWanIBvX)9t4*+wWxVkT(#Q;J6_?xNlESq!k`*e8NMMj#z*Gcgtc42#KfcOHVXL||HY(k--1kbIP0WY3@^p4SQ-R{>JvZU?;q7+-~`D> zTsONeR>%-$C>uZ(Yy`F*;uvw+)+#g639Y4V=!Dl z+>;7MIdj$4O#9pl0_+JMxd-lOP8=m7?CSR2JaNgl`y_IbW-{t0`kYs=L*FQYbHf?l z=KPJ%&j34DLIgu_Dmvy_d1i-Nc=ka~MSD%;aCI2i&Zm(zIS-OAZPY?@@^$v8r9V#Q z)bD`)Ml#duWh_#fJr{Xe_eg{f%T{-syOF3vVgZvjtrtLyQ%Y>M?vOq?ijp2<@RObE z%LDS|8B&%Tr(WXlyxu~xhwA35T%whGvn%klmb$o={TwGEyRCO$z$V?q;%KRYu#!&3 zvItQugNXp?d!PZt?UWnBqLkCX5wn)wsR!d+-|^U@m+mMcK9WEzH>$fBigZkbqZ@P` zcY>I6EXu3QBdV$6&heRFX7+GSt+(}L!yqpZ!S-*k!Q@E;YVnh+LjXcX z8i|*d?vw~@Kn(c&CH#JmePav+QY}ho*fIeZFcWHOstbB?xXHA;2x`7FvNDXjtcF1w zU7Z-y>U=q(FPPlb7cP-Ond0yBCrVyHPnL&N^Zj@ZEKX>l1)voP8;YZ%E2`eNmSPx=x8n;RZ4Ax^yu-lSDaA1M{|t>FCMuoGx{f zY*jqS!vMky%L-GL5oBM^C$3yzzYRx+JDAU}=Yg^HAEKfR=tj7_x4DQM&PFKI;l}o~ zutiFXJ>%NSzm6yvLS+`0&6oBpFVZJqD-2}>kyp^jm$Y7p7mw-U^%D;H2e@axC@6$~ z(3hYfZaK1LTlsM5W+bljuExu5-oeDd*7#ea;&BmbnB=o40JGC7w7%4tgfWp=!#`&d zpjOR#gUr;+dDlU>1+bbOCx9dqedd2mcU%b5s>6!2$mW@uM4>EKl+~i)mc~Y7e6%T6 zmzG`vNtUU*6epUTtt=nqRhOSl(Lp9d%S+Mc-xwcyMBI~@?4LyPK&#)ruu)sVtV z76BRKqZ?H0LQy*%1f))UyntV-H#9z7s42ltJ66xw5g=C&cjHs&6TjRLdC z3u)8l8b~jXx&Jkz!Nv<~Qwz+j^e$;Fz!J@)HwAlU*grn}R*A<69m~wKzNV6m$?0yo zu<4>;Wv&QL5RyI|3DfNU?mP$CHskRkG#WZG(?W&a6MtwJvLo1}A?)?s;B<%wh^paYyYEU*REAVcb z7os_bp`AMNs%2#Rz?3MLu+&Z=(R!Kz0#0?{QeE*Dokvo>DL$xl z?mZ~CL;Dj*S)DfoEje-s!CJ1#jrokC@7iG_!B32gJo7xqx#xpyn~1gN!j2Ud<*j>7 z^oPLNR`a*ZVhe=<(j0Bt;DAf>+Cgt-a8Euaav?@G9I*Ogj5i49iQ%^oitLSoC9lFh zAn2{^K=cc){;aVRn2nS)C!9-@0#~oEP~@n+JIiRuPu&Y2WFa$s*RY0iU`(YI6xKq; zYH#=~MNxBUg4g8XKLd4j8i#HI)RPWprqPu9^O(6eLlKs?fFM%^@LRoK7AZmHTcBmr z3q_>zncA?o{La3+Wnd~>T-_abu3~aR8pNWy=UzO)yqFY!C|u6PYEj?~+|PPAN~f6M z_1RG>meF;7{!mWAGy|c8I31SK8Uvh_zEv9I6lm4=tgGW%-JY=&qIG9U1a%r)^bX3A z0sqG4ci)}uA$o)(soRk@rKHpQUGmI;jF_C1(ooFwXR^}qfqdx#TJT`u zD;POin*X+>eBC*BEY}mWCzKt+F*?tD6+?Gyok^LRaZ$BF?+Y!(HgPABwLhZM+6c2# zTL=MP3Fg|2O#EaxF-6i{&Fs7q+%@lL)LmG15w_0Wk+p=SaQ~e+iGk+>X~lw*$8-U8 zyLxcoYq>*$pO`L3kE_Gm@^?rPd;JERT~DkIofC!_As>-U-?BmCpA6xuyyL6mKd2?d zAXc^J?kPX@soLE&CC@-ZY-THbk8+#NaqRw;>F#qk=f!aLUZS8jRAjOs*lu_fT|HJW zVKu82LKF1Pr*agR)>Cl_ z^0;5E`kK19Zfbn1r4)O{F=arMdOhsB!K{*dnRd?F0JY*Rvvg|J5xj?u;Izw3^4&F{ z-i)Q0yAD=)`Pm)FPk9RzueC8Q897wC>B1?H`JR2$cVBgH9POMYwt zPQds;9;cJSFaj&Jcg->)=J&yZxPc1RnDUxNnEjkwN2eIMbVO2!jxSHuj~KiPuigoq ze#OHQ&wFmzY=Hp_h^>Q0Lgg%E+i2|&C%bH%)?ASC_C-GtqnX^OwZfF)L$_Hxe$Avs zGlVH6$8_&-H`?VEBKZ|{C#&}_6GjC-8F0jrO7GgS@@71#P}NOS(}1zB!X;LUDYcWI zRd?6SLXL*hOAwZH1bC5JXz5)TY?mzr(PEb4rU)v3#okG)R^vv@>>RluSq5m->2sRb zx1W((vR4!Ow(EpIn-1fyXD6~YGCiqr<4}!>6=RzP@s$6}llneYvUilZDS9lcB>z6s zz8rM`xy~@K&%Rbz-}jM(319s;gM2k(PIl%75w!?eHPm_Y1kFbdp9Dy`JQu znM^cF4!C)+{fB8V=JS-WQKD-}L=1wF_di}wTX(fmBDKJ3L|eGho1T}z0w|8rP;?6q z0+r|rd?Bj%nZACFuq(yk)9cO&Ycu4uA7mqZ=IB=Sq0CEvYH_Y+4Jn5tA@C|=x-{Q- zSt?1)Q%FQuy};CgNB_E2UJRc7W>XLBAB7Qw=<&Ny0HAm%hq~$Mzobd(01a{%oDLPdsI38HlbSiiv6o!NxwPo@l-AliU zE1*4qv&#!(`+`To;545ceaQ;xN12u02<5NPcz9n70OO z{1bS`nrC?%u))~TMy3OhMXvAO$kCJpjh_ZlwjPoBq7-DR+&={K{(rO5Vb<0?ZkGf! zI{q9)2OqBwm84#3d|l>r7q&nXN(?>iOWABX2Zup7Cd_P<7gACujFiXKjX0wwVhyG& zg)zxFq)0ruX!ad~lvR`CUpc!W@ijQ#@wFDSt=zN4+IBG2aFMOV)G>^x86xjAYDNDN3BT*m)s*v7erDJoC?HH8|-q2*8ZV}Xl5E%P+4;#7t z$Z6y9mmoc6FGY1L)lnJ;0&+z))A2YIC9LHXLK-?~rQBTVI@jDi-0QBv)8s%H*&ASO z2cl2m={Pz3t1nL;8I2zHKp<-}E3E5E(9aAp3a)amTC=gW^$-nCTqHil$Z7$zz^%JR zvxqgS_7Jg=s3>PT1R@}xhi{{f-h`AtE3(O5&dGp08ANcq4(;)JKa>Z}8{^Sp{J1>* zAY1{44{{`@_u1S=J~s6{^)ff(Pzqa$Cb5F@M3~oG_1XT2QIv9#93(gpWqWbH!RYW{ zZ&D(4h}4&qFG^wAC%&{zb=em$Pu?VBlc+Mn#6w|Y$b<3_Ve;GQtQ^rBf6m9vW{db) zQMJ2sN#s!eBrGzB0vY~O4x^-mJ%06{JJ?tlvj@IPg6i${&5SOv3E+gkhZKQVB2y%^);PQdPw!_D09D_qKsv53*A5oF;dX#BtcO)HyO(3ZRWvT57tb?1vH zP#r*JNmVrqEs6y*iu^4!4jKJcK!8$grm(totsQ9T*k_!w)nH&g<%v(`|=03u!cm4lT@{)$e?$<13NmQOdqu$fP@rAd|u zC8TeJYpsGT8*$$b2ApxPDgm*SEuqE5-$G!wScU6|_CU-+??#XWZtOCC(e9dUguGpD zg)4$cp}1{*rZDouBqU8#bWd8G1p=OCF=6(&9FCYh^ynF}d_W&9yMA`;?JigGRVkVu zMdT+76uXHWEbMd~b}-?!(YT7oP}M`q6wg^X)yn1P7sid_B!417ApA^aoW?^ya zNGk8ZMD)@F5>;zdlUf)hT5>4_-9lz^5|p6Ql0tQ2-i>*X26p{Hg0;vx z$?dv7)^wI2fYLidO3Gt8se~W!?C0(ccC2CBbbXe-O=9BwNiStj(%t?Bv1nSL-!q|v8?{FBMhSj^tA54pF zX%iD!Z}00AzrBG1{$s`B^mz5JX+X4~O`6+JYCe#4q@>v~@*i_1HI=24Rfkga1_tNY)Rk_#?gdbo zED9R2p{slDT%#F=B8uwb4u_-ATSx2~^V+&eXwS`X%DOoM#rU<-qY5>J6j9!8)nbffe6cIq0rwpxjc28fTv?xc zqZa4`b?Q;By=hFK(b3LwC@6A%UOb6^V_QFERWtorFUFB2A=mqGjPB^QbK#?0k7lGC zkYc+es^1U-mVsx;$hL#M|4Hs`@<)ol33OB<(t>*{-$h0z4UvX53JQ(?o_j4P|5N1` zvj%CgajKC5 z%z^||-$GYi(I8&he%Ljyf6hG5=R1Q|$*dT9auS|C6kH}BTGT-zXN<3q({m^%;363( zR>{WZ$}``OokQW-Yxz+H@kVQgqy5#x5&od{X&*}`R}yBNtsUg=BJC+xsb}!rgIMq1 zlKe-c={gu&{cF6@|M6aFs>1@55f1XAW7-wCVyVrPpfH(S09G5k2cnd97WhPK$Vue> zE2U7-7G;*;<;%*tHT1!#x@i~!TO&x{jO3@GnV!db-(P^dAOqRY#N5qwy_KHc=3jA( z=icwj&o88w$CE0^mle82Wyn`S8A^qV!=P@MAR)i{#KL5gc7S*73)-4!j?fY4b;zzK zbFakkwtN&9h)(d#K%wBBpr69)8`edOJC-^iu<1`D;J&xhz4AjS%h-|zu+-4(QSA9A zU4BnEv#=81{*TjaKl)2|47f#!{Zf%2<(7=fRKxwVUYLR^PIPRwnDO# zPF!lKkTWnjZUcFKsy$9a9M_UbLZ@VoO*UmX%iLg%b%N&L4dMppJ1zv|Bd}gCy6HDJ z*lY3lhIWM+x%NL=))EjBEM5K?SIa@jQ_~HtI=sd zq~LR!TfCU_9*{URx#7}fqxp_9k9L=Fr1GVd6>>;r@B3(RB4rxoc?rEpEZ?{B_cbN# zA$?sGEzP(|7qFC^ zjgap9)ke+bcLkDtg5|q2nAOXh>Bph%lOlc%d^7bzXaNC#=9y zttFDzEysa{V@!pp;4~&Lg-G(4@-$<%qqKjQH&J_&G#{lFVCqP`6;+iZE#frxB3}1o zCV$pVaf^=Pf_@V`FWxhz8i)u>T+=^-)gOaCSTzpUQ6hWnl-wOy^-2zE({6>kw#wW_ zI`2I-d9S;S(|I~Zd}D4)QOrK*D(hv_kC0QbVdb36>yPEj^2A=d-T?D7*_I!x%5{L3 z*!f(VZPMXHaPx>4D!6Nh?#;rHUtFnKjjJ71A{15?Xc;Dj3rcoDY0!n<1~+vL|7}P< zmAsBc=HsiBP6vDq(}rfzJmrbF6aNd?e`l@qIBA3cAW~4(>&X5(^O55(hLl=^W3QMHtYi9a?b1_=H(mr#UsH|UCL52cG2W1{;9jngiZ2g!*+4nHJ%HR6JRUp7 zU-<}*;s5&(YN^DeWN)QuC8ow{REEW+X=;?2rkPb0C`YBH{AwhxV7qe*C1AuK$;cjC zfI1=;1`-y?p{C{eF-cjvA9fE{mk*PFU>IYV<`*U{y+_gClrQHO4cu(+VT1+wKb9|l z=8^Px$v?}N`@|;#+H-e`Z(u=@T;g)3s!>mBIF8UNR#MjSA*HYPI$}h5Dy5~d030jd z9}f=gKJAp^GJ56H(jp|E^1-kxC1-G%p7tHj=%{L9+khKI-uT4}L%~Sm*S)RAich5h#ASNu zK)%?s_e+6q804w?IWoC#Ij&02Y?3ox1_Q2YS0YOW0k`{1<`komuWJ1xUfdBXI`xqP zwvFin8%$Y48!m4|x@Y%@W!g74@iq$u-AFfW#1N&Cd;{kAywiGh_zt(q-OHWF@qAf9 z3qw9zSk3}MYBAlvz>tF{pc@H|MXvdFHX$ipkTIqD7hhsC5$zw1#CmA08lK4|RCj0I zCpi`v;5yQ|c_axHJiVZSFbx&b&~eq{9K@`6uxIFN5F+ObLvg#S?he-uzVi~KKk$j` z*GCy}lz^$G$KZ`a*-(EEARaY*y{P^VcPhfP;6(B z#qgVlCk^vfsK`C!sU$%G`kB$`+>tm9V`kMdWscvt_RZGCoWrn9g86s+^9<)fg!nIB zs(vU3VP~-ep?$x~DbbBo0#a13swEDH#HUe>_93upKdUH(mEYK!jZR@Veh##ntA4*f zkX%G{LJ5aXvtJJ%aK> zmG?0(ZBDeZnAY?=qyO(JU}REJH45Lu(C|IpkN{91Mz)4>4z_lV4ElCO+_5bNdLVSUOH#12@nxS<(f*0^m!KFc?4lI4Jw^?vB^C~NOQyoRDML^vtrWXH0TP%id z|D+*kCfpZNjpmrz@Zx2MjrxsBIn53M->uM^(Hh#QVD33<_-GDXXf2R|kw9tk)o8w5 z#cX`qUdIjgSjq6!!Wt2p@QGp3JYEP|DtDz7j$S#kPtn-rTaw>Gl{}{_*yqL?w#M?7 zERBgGREHIo0RdSkJNR?Jf(#};v6-1hQ0c>Xz1MzD?Ycc-aLjIn1uENwJSdLg!amGZ z@|fhVnXX_Mzkn@yAlZ;ziT0og340zP#E;${y$@kQj{R#fK^J9fRI+bG8?<4f!C|hw z%T3M|UR_}6^2|CSAdY_OT@0p`G_b~A9g?c!kR?a3#^4G2XET(nLzuh z?UIp88RYiU6CSFEXe^r>Izs5^X>qpLlnWeME;mxYf_!1lTyM_I9|n<^(&Cl7WX zIeTOoG+)90t{*}C(1I!d&RowA008p8a@)|>!TA4^`>%NRiqn?t17Zf9gTD!mc&GUc z7Z#lI8>=FKv!k60T)Duq5s=QMb{K?BlU}H z5Ot{0kc3`~)(xaiyVioI4_?B-+I>M5wS$Da6%!IA%_C9pO(}!~hUb8Q%&MmgLBHN{ z0efG$rfE=%w$8G>iwxJO(q=y6u6vG&8m>0Vr`u7w@6TKfW<#aRfJ;uDCJKPZIcFHW3!K;>!{Zh(iJ=z^;*!mbb(vlEjkfmK(SBO z)~3rKpEziaGPtP!vFba=RPD3H-NOC@=r2Qyz|ieJ;$QGd)>{7!Aal1%GmKAFaNA%v~5=j(Spw@-ldo|)ZMSs z9N~(OGztYa7?$^-#es$_TWWr*Li4Y`?BWWJJR0o5hkOV&?g3?O9dSLd>?(ef@+>5j zTdhGA(`~pfZYx{hFy)3GW29!8d7w>)Hs069`%86u{;HN~c^fVISiyZ}dvF@dlifcB z0B@}If!kJ=o|756ROBpNB}t_nP}ZxC13%#)Dm#in^HQ!QW#z}8aUs_Nuv1W{1YlgD z3>~sZ8(sl4GuYMBE#E?drk!*5eU~G|6M}=gLQC-8OZ!ji zH@#P#{cNI+Q!Hclshx@H%hL%7ZaT*B_zk)tYBp}|i7~dRM zR0kS`*b;;XyK+*;8}EDWbTgWF^_>_ZR=o;AYg8>A>XGE{k~hEJ5@dWi`Tk9nP_)2$ zy0=(6+MuiFl0N--C}jqXnezv!59tiuz<$6&vy?&rY@B>MrJ1~me7#xeP26|E?(DCc zc(IqPaqri8%gqDpa%C8)6hB3z!YvxtFHdt6qF2xlSEZZ#rcs!=8P8=}e`*cfyKfCV zks*jcG+5*&7!=yL4}T=!yOPjQ=Mmo;zuv z4&ONu@%Nng$1qV*(q}9_2+9`ycXg6 zv?|?&=uQcIx5h@!74F5V-fDu#bdY!}2osDC4@Ehr@I@8tj%Ux}@;Nj88dNSs8jU}~ zSFmohJQW~Cv{PE4aP!^h zYqMn$NMpsrWf9=A30PHqn-OpR##P0SAhGJ#ldT<%@@eaaPU?ZmglAA{iZfYUTV&ZK zdWHpt?Z)|wu8Ou5Gj7o; zxD2d-T?;9zj**Yia!g9X{sh#yX9Aq9)v9BtscXXXXIHznd(;O?7tbGo>RpQ>m?wqp zyTP(cBrjl5bQ~leXK(L!+Y)O}A08WC!m!lKkGeLHS-SqW+bo z|GA|pXlvtSY~!S>kele_1EIXM^`6a5U3*Fg8+jaxk|s{ab|J75u*td<*|X_**^y_e1zyo%{>s zsN{E)ztt*#2mD><`wQ@*^nU~Rm+JRB;O~mrUx4>zzXSex%K!FM{Vo{%g~C_$w|C76ABtVD!87zZaYTY8~A0FV_E6dj4+ydyViH07CPhhwvX2!|w>c h_b7iM5V!sZ!av;z{vOqT)W*mFxA$n}Y5(Kh{{o~^?QQ@7 literal 0 HcmV?d00001 From fe4d577826c1b870f08644d00040fc376fe7e290 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Fri, 9 Dec 2022 14:18:36 -0500 Subject: [PATCH 099/100] Fixed issue #11 adding tags for host and container Signed-off-by: HackerShark --- controls/SV-238197.rb | 1 + controls/SV-238198.rb | 1 + controls/SV-238199.rb | 1 + controls/SV-238200.rb | 1 + controls/SV-238201.rb | 1 + controls/SV-238202.rb | 1 + controls/SV-238203.rb | 1 + controls/SV-238204.rb | 1 + controls/SV-238205.rb | 1 + controls/SV-238206.rb | 1 + controls/SV-238207.rb | 1 + controls/SV-238208.rb | 1 + controls/SV-238209.rb | 1 + controls/SV-238210.rb | 1 + controls/SV-238211.rb | 1 + controls/SV-238212.rb | 1 + controls/SV-238213.rb | 1 + controls/SV-238214.rb | 1 + controls/SV-238215.rb | 1 + controls/SV-238216.rb | 1 + controls/SV-238217.rb | 1 + controls/SV-238218.rb | 1 + controls/SV-238219.rb | 1 + controls/SV-238220.rb | 1 + controls/SV-238221.rb | 1 + controls/SV-238222.rb | 1 + controls/SV-238223.rb | 1 + controls/SV-238224.rb | 1 + controls/SV-238225.rb | 1 + controls/SV-238226.rb | 1 + controls/SV-238227.rb | 1 + controls/SV-238228.rb | 1 + controls/SV-238229.rb | 1 + controls/SV-238230.rb | 1 + controls/SV-238231.rb | 1 + controls/SV-238232.rb | 1 + controls/SV-238233.rb | 1 + controls/SV-238234.rb | 1 + controls/SV-238235.rb | 1 + controls/SV-238236.rb | 1 + controls/SV-238237.rb | 1 + controls/SV-238238.rb | 1 + controls/SV-238239.rb | 1 + controls/SV-238240.rb | 1 + controls/SV-238241.rb | 1 + controls/SV-238242.rb | 1 + controls/SV-238243.rb | 1 + controls/SV-238244.rb | 1 + controls/SV-238245.rb | 1 + controls/SV-238246.rb | 1 + controls/SV-238247.rb | 1 + controls/SV-238248.rb | 1 + controls/SV-238249.rb | 1 + controls/SV-238250.rb | 1 + controls/SV-238251.rb | 1 + controls/SV-238252.rb | 1 + controls/SV-238253.rb | 1 + controls/SV-238254.rb | 1 + controls/SV-238255.rb | 1 + controls/SV-238256.rb | 1 + controls/SV-238257.rb | 1 + controls/SV-238258.rb | 1 + controls/SV-238264.rb | 1 + controls/SV-238268.rb | 1 + controls/SV-238271.rb | 1 + controls/SV-238277.rb | 1 + controls/SV-238278.rb | 1 + controls/SV-238279.rb | 1 + controls/SV-238280.rb | 1 + controls/SV-238281.rb | 1 + controls/SV-238282.rb | 1 + controls/SV-238283.rb | 1 + controls/SV-238284.rb | 1 + controls/SV-238285.rb | 1 + controls/SV-238286.rb | 1 + controls/SV-238287.rb | 1 + controls/SV-238288.rb | 1 + controls/SV-238289.rb | 1 + controls/SV-238290.rb | 1 + controls/SV-238291.rb | 1 + controls/SV-238292.rb | 1 + controls/SV-238293.rb | 1 + controls/SV-238294.rb | 1 + controls/SV-238295.rb | 1 + controls/SV-238297.rb | 1 + controls/SV-238298.rb | 1 + controls/SV-238299.rb | 1 + controls/SV-238300.rb | 1 + controls/SV-238301.rb | 1 + controls/SV-238302.rb | 1 + controls/SV-238303.rb | 1 + controls/SV-238304.rb | 1 + controls/SV-238305.rb | 1 + controls/SV-238306.rb | 1 + controls/SV-238307.rb | 1 + controls/SV-238308.rb | 1 + controls/SV-238309.rb | 1 + controls/SV-238310.rb | 1 + controls/SV-238315.rb | 1 + controls/SV-238316.rb | 1 + controls/SV-238317.rb | 1 + controls/SV-238318.rb | 1 + controls/SV-238319.rb | 1 + controls/SV-238320.rb | 1 + controls/SV-238321.rb | 1 + controls/SV-238323.rb | 1 + controls/SV-238324.rb | 1 + controls/SV-238325.rb | 1 + controls/SV-238326.rb | 1 + controls/SV-238327.rb | 1 + controls/SV-238328.rb | 1 + controls/SV-238329.rb | 1 + controls/SV-238330.rb | 1 + controls/SV-238331.rb | 1 + controls/SV-238332.rb | 1 + controls/SV-238333.rb | 1 + controls/SV-238334.rb | 1 + controls/SV-238335.rb | 1 + controls/SV-238336.rb | 1 + controls/SV-238337.rb | 1 + controls/SV-238338.rb | 1 + controls/SV-238339.rb | 1 + controls/SV-238340.rb | 1 + controls/SV-238341.rb | 1 + controls/SV-238342.rb | 1 + controls/SV-238343.rb | 1 + controls/SV-238344.rb | 1 + controls/SV-238345.rb | 1 + controls/SV-238346.rb | 3 ++- controls/SV-238347.rb | 1 + controls/SV-238348.rb | 1 + controls/SV-238349.rb | 1 + controls/SV-238350.rb | 1 + controls/SV-238351.rb | 1 + controls/SV-238352.rb | 1 + controls/SV-238353.rb | 1 + controls/SV-238354.rb | 1 + controls/SV-238355.rb | 1 + controls/SV-238356.rb | 1 + controls/SV-238357.rb | 1 + controls/SV-238358.rb | 1 + controls/SV-238359.rb | 1 + controls/SV-238360.rb | 1 + controls/SV-238361.rb | 1 + controls/SV-238362.rb | 1 + controls/SV-238363.rb | 1 + controls/SV-238364.rb | 1 + controls/SV-238365.rb | 1 + controls/SV-238366.rb | 1 + controls/SV-238367.rb | 1 + controls/SV-238368.rb | 1 + controls/SV-238369.rb | 1 + controls/SV-238370.rb | 1 + controls/SV-238371.rb | 1 + controls/SV-238372.rb | 1 + controls/SV-238373.rb | 1 + controls/SV-238374.rb | 1 + controls/SV-238376.rb | 1 + controls/SV-238377.rb | 1 + controls/SV-238378.rb | 1 + controls/SV-238379.rb | 1 + controls/SV-238380.rb | 1 + controls/SV-251503.rb | 1 + controls/SV-251504.rb | 1 + controls/SV-251505.rb | 1 + controls/SV-252704.rb | 1 + 166 files changed, 167 insertions(+), 1 deletion(-) diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb index d9c54f3..cc380ba 100644 --- a/controls/SV-238197.rb +++ b/controls/SV-238197.rb @@ -94,6 +94,7 @@ tag fix_id: 'F-41366r653765_fix ' tag cci: ['CCI-000048'] tag nist: ['AC-8 a'] + tag 'host', 'container' xorg_status = command('which Xorg').exit_status diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb index 8e982a8..ff625ff 100644 --- a/controls/SV-238198.rb +++ b/controls/SV-238198.rb @@ -118,6 +118,7 @@ tag fix_id: 'F-41367r653768_fix ' tag cci: ['CCI-000048'] tag nist: ['AC-8 a'] + tag 'host', 'container' banner_text = input('banner_text') clean_banner = banner_text.gsub(/[\r\n\s]/, '') diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb index 6e39025..aaeb8c8 100644 --- a/controls/SV-238199.rb +++ b/controls/SV-238199.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41368r653771_fix ' tag cci: %w(CCI-000056 CCI-000057) tag nist: ['AC-11 b', 'AC-11 a'] + tag 'host', 'container' xorg_status = command('which Xorg').exit_status diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb index 4957365..73795a0 100644 --- a/controls/SV-238200.rb +++ b/controls/SV-238200.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41369r653774_fix ' tag cci: %w(CCI-000058 CCI-000060) tag nist: ['AC-11 a', 'AC-11 (1)'] + tag 'host', 'container' describe package('vlock') do it { should be_installed } diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb index 21219b2..d66f997 100644 --- a/controls/SV-238201.rb +++ b/controls/SV-238201.rb @@ -29,6 +29,7 @@ tag fix_id: 'F-41370r653777_fix ' tag cci: ['CCI-000187'] tag nist: ['IA-5 (2) (a) (2)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb index 502d9c9..16dad3f 100644 --- a/controls/SV-238202.rb +++ b/controls/SV-238202.rb @@ -30,6 +30,7 @@ tag fix_id: 'F-41371r653780_fix ' tag cci: ['CCI-000198'] tag nist: ['IA-5 (1) (d)'] + tag 'host', 'container' describe login_defs do its('PASS_MIN_DAYS') { should >= '1' } diff --git a/controls/SV-238203.rb b/controls/SV-238203.rb index f19f5cc..fc51c8b 100644 --- a/controls/SV-238203.rb +++ b/controls/SV-238203.rb @@ -29,6 +29,7 @@ tag fix_id: 'F-41372r653783_fix ' tag cci: ['CCI-000199'] tag nist: ['IA-5 (1) (d)'] + tag 'host', 'container' describe login_defs do its('PASS_MAX_DAYS') { should cmp <= 60 } diff --git a/controls/SV-238204.rb b/controls/SV-238204.rb index bd570f4..5e89488 100644 --- a/controls/SV-238204.rb +++ b/controls/SV-238204.rb @@ -66,6 +66,7 @@ tag fix_id: 'F-41373r832935_fix ' tag cci: ['CCI-000213'] tag nist: ['AC-3'] + tag 'host', 'container' describe grub_conf('/boot/grub/grub.cfg') do its('password') { should match '^password_pbkdf2' } diff --git a/controls/SV-238205.rb b/controls/SV-238205.rb index 5d835c7..bc54d92 100644 --- a/controls/SV-238205.rb +++ b/controls/SV-238205.rb @@ -38,6 +38,7 @@ tag fix_id: 'F-41374r653789_fix ' tag cci: %w(CCI-000764 CCI-000804) tag nist: %w(IA-2 IA-8) + tag 'host', 'container' user_list = command("awk -F \":\" 'list[$3]++{print $1}' /etc/passwd").stdout.split("\n") findings = Set[] diff --git a/controls/SV-238206.rb b/controls/SV-238206.rb index 366cf01..378be99 100644 --- a/controls/SV-238206.rb +++ b/controls/SV-238206.rb @@ -46,6 +46,7 @@ tag fix_id: 'F-41375r653792_fix ' tag cci: ['CCI-001084'] tag nist: ['SC-3'] + tag 'host', 'container' sudo_accounts = input('sudo_accounts') diff --git a/controls/SV-238207.rb b/controls/SV-238207.rb index abd64d7..e1101bd 100644 --- a/controls/SV-238207.rb +++ b/controls/SV-238207.rb @@ -63,6 +63,7 @@ tag fix_id: 'F-41376r653795_fix ' tag cci: ['CCI-002361'] tag nist: ['AC-12'] + tag 'host', 'container' profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split("\n").entries timeout = input('tmout').to_s diff --git a/controls/SV-238208.rb b/controls/SV-238208.rb index 117b511..0c82699 100644 --- a/controls/SV-238208.rb +++ b/controls/SV-238208.rb @@ -28,6 +28,7 @@ tag fix_id: 'F-41377r653798_fix ' tag cci: ['CCI-002038'] tag nist: ['IA-11'] + tag 'host', 'container' describe command("egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers") do its('stdout.strip') { should be_empty } diff --git a/controls/SV-238209.rb b/controls/SV-238209.rb index 38365fc..613a29b 100644 --- a/controls/SV-238209.rb +++ b/controls/SV-238209.rb @@ -35,6 +35,7 @@ tag fix_id: 'F-41378r653801_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe login_defs do its('UMASK') { should eq '077' } diff --git a/controls/SV-238210.rb b/controls/SV-238210.rb index 24591b4..140eed7 100644 --- a/controls/SV-238210.rb +++ b/controls/SV-238210.rb @@ -68,6 +68,7 @@ tag fix_id: 'F-41379r653804_fix ' tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768) tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238211.rb b/controls/SV-238211.rb index 5d17588..8b76bba 100644 --- a/controls/SV-238211.rb +++ b/controls/SV-238211.rb @@ -40,6 +40,7 @@ tag fix_id: 'F-41380r653807_fix ' tag cci: ['CCI-000877'] tag nist: ['MA-4 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238212.rb b/controls/SV-238212.rb index 62d35dc..9b257fe 100644 --- a/controls/SV-238212.rb +++ b/controls/SV-238212.rb @@ -58,6 +58,7 @@ tag fix_id: 'F-41381r653810_fix ' tag cci: ['CCI-000879'] tag nist: ['MA-4 e'] + tag 'host', 'container' describe sshd_config do its('ClientAliveCountMax') { should cmp 1 } diff --git a/controls/SV-238213.rb b/controls/SV-238213.rb index 4186b72..44f0980 100644 --- a/controls/SV-238213.rb +++ b/controls/SV-238213.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41382r653813_fix ' tag cci: ['CCI-001133'] tag nist: ['SC-10'] + tag 'host', 'container' describe sshd_config do its('ClientAliveInterval') { should cmp 600 } diff --git a/controls/SV-238214.rb b/controls/SV-238214.rb index 0db2b5b..dddb688 100644 --- a/controls/SV-238214.rb +++ b/controls/SV-238214.rb @@ -156,6 +156,7 @@ tag fix_id: 'F-41383r653816_fix ' tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388) tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3'] + tag 'host', 'container' if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238215.rb b/controls/SV-238215.rb index 0ce0297..54b0303 100644 --- a/controls/SV-238215.rb +++ b/controls/SV-238215.rb @@ -67,6 +67,7 @@ tag fix_id: 'F-41384r653819_fix ' tag cci: %w(CCI-002418 CCI-002420 CCI-002422) tag nist: ['SC-8', 'SC-8 (2)'] + tag 'host', 'container' describe package('openssh-client') do it { should be_installed } diff --git a/controls/SV-238216.rb b/controls/SV-238216.rb index 71528ba..e0c7671 100644 --- a/controls/SV-238216.rb +++ b/controls/SV-238216.rb @@ -61,6 +61,7 @@ tag fix_id: 'F-41385r653822_fix ' tag cci: %w(CCI-001453 CCI-002421 CCI-002890) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] + tag 'host' if input('disable_fips') impact 0.0 diff --git a/controls/SV-238217.rb b/controls/SV-238217.rb index 6f15df9..678b328 100644 --- a/controls/SV-238217.rb +++ b/controls/SV-238217.rb @@ -67,6 +67,7 @@ tag fix_id: 'F-41386r653825_fix ' tag cci: %w(CCI-000068 CCI-002421 CCI-003123) tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)'] + tag 'host' if input('disable_fips') impact 0.0 diff --git a/controls/SV-238218.rb b/controls/SV-238218.rb index daead49..18590b4 100644 --- a/controls/SV-238218.rb +++ b/controls/SV-238218.rb @@ -39,6 +39,7 @@ tag fix_id: 'F-41387r653828_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe sshd_config do its('PermitEmptyPasswords') { should cmp 'no' } diff --git a/controls/SV-238219.rb b/controls/SV-238219.rb index e3ac804..684219f 100644 --- a/controls/SV-238219.rb +++ b/controls/SV-238219.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41388r653831_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe sshd_config do its('X11Forwarding') { should cmp 'no' } diff --git a/controls/SV-238220.rb b/controls/SV-238220.rb index da865dd..1ac03c1 100644 --- a/controls/SV-238220.rb +++ b/controls/SV-238220.rb @@ -42,6 +42,7 @@ tag fix_id: 'F-41389r653834_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe sshd_config do its('X11UseLocalhost') { should cmp 'yes' } diff --git a/controls/SV-238221.rb b/controls/SV-238221.rb index 3731da0..b8f6296 100644 --- a/controls/SV-238221.rb +++ b/controls/SV-238221.rb @@ -34,6 +34,7 @@ tag fix_id: 'F-41390r653837_fix ' tag cci: ['CCI-000192'] tag nist: ['IA-5 (1) (a)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238222.rb b/controls/SV-238222.rb index 7d5229e..8b46e81 100644 --- a/controls/SV-238222.rb +++ b/controls/SV-238222.rb @@ -34,6 +34,7 @@ tag fix_id: 'F-41391r653840_fix ' tag cci: ['CCI-000193'] tag nist: ['IA-5 (1) (a)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238223.rb b/controls/SV-238223.rb index 17acbb4..4c7cfbc 100644 --- a/controls/SV-238223.rb +++ b/controls/SV-238223.rb @@ -37,6 +37,7 @@ tag fix_id: 'F-41392r653843_fix ' tag cci: ['CCI-000194'] tag nist: ['IA-5 (1) (a)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238224.rb b/controls/SV-238224.rb index 7e07347..e7da700 100644 --- a/controls/SV-238224.rb +++ b/controls/SV-238224.rb @@ -41,6 +41,7 @@ tag fix_id: 'F-41393r653846_fix ' tag cci: ['CCI-000195'] tag nist: ['IA-5 (1) (b)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238225.rb b/controls/SV-238225.rb index cfbe386..747d89a 100644 --- a/controls/SV-238225.rb +++ b/controls/SV-238225.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41394r653849_fix ' tag cci: ['CCI-000205'] tag nist: ['IA-5 (1) (a)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238226.rb b/controls/SV-238226.rb index e608a9b..c4a8bef 100644 --- a/controls/SV-238226.rb +++ b/controls/SV-238226.rb @@ -37,6 +37,7 @@ tag fix_id: 'F-41395r653852_fix ' tag cci: ['CCI-001619'] tag nist: ['IA-5 (1) (a)'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238227.rb b/controls/SV-238227.rb index f664e1a..31155f8 100644 --- a/controls/SV-238227.rb +++ b/controls/SV-238227.rb @@ -29,6 +29,7 @@ tag fix_id: 'F-41396r653855_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' config_file = '/etc/security/pwquality.conf' config_file_exists = file(config_file).exist? diff --git a/controls/SV-238228.rb b/controls/SV-238228.rb index 796ec6a..0a9a8e5 100644 --- a/controls/SV-238228.rb +++ b/controls/SV-238228.rb @@ -74,6 +74,7 @@ tag fix_id: 'F-41397r653858_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238229.rb b/controls/SV-238229.rb index c13768a..490f39b 100644 --- a/controls/SV-238229.rb +++ b/controls/SV-238229.rb @@ -64,6 +64,7 @@ module is being used via the \"use_pkcs11_module\" in \"/etc/pam_pkcs11/pam_pkcs tag fix_id: 'F-41398r653861_fix ' tag cci: ['CCI-000185'] tag nist: ['IA-5 (2) (b) (1)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238230.rb b/controls/SV-238230.rb index 45ba034..39da2bf 100644 --- a/controls/SV-238230.rb +++ b/controls/SV-238230.rb @@ -50,6 +50,7 @@ tag fix_id: 'F-41399r653864_fix ' tag cci: ['CCI-001948'] tag nist: ['IA-2 (11)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238231.rb b/controls/SV-238231.rb index 907f5ef..013d91a 100644 --- a/controls/SV-238231.rb +++ b/controls/SV-238231.rb @@ -36,6 +36,7 @@ tag fix_id: 'F-41400r653867_fix ' tag cci: ['CCI-001953'] tag nist: ['IA-2 (12)'] + tag 'host', 'container' describe package('opensc-pkcs11') do it { should be_installed } diff --git a/controls/SV-238232.rb b/controls/SV-238232.rb index c8bbe1b..af3e5d7 100644 --- a/controls/SV-238232.rb +++ b/controls/SV-238232.rb @@ -36,6 +36,7 @@ tag fix_id: 'F-41401r653870_fix ' tag cci: ['CCI-001954'] tag nist: ['IA-2 (12)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238233.rb b/controls/SV-238233.rb index 8d945a4..63f2626 100644 --- a/controls/SV-238233.rb +++ b/controls/SV-238233.rb @@ -39,6 +39,7 @@ tag fix_id: 'F-41402r653873_fix ' tag cci: ['CCI-001991'] tag nist: ['IA-5 (2) (d)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238234.rb b/controls/SV-238234.rb index d2376bc..0f34da8 100644 --- a/controls/SV-238234.rb +++ b/controls/SV-238234.rb @@ -36,6 +36,7 @@ tag fix_id: 'F-41403r832944_fix ' tag cci: %w(CCI-000196 CCI-000200) tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238235.rb b/controls/SV-238235.rb index 86cd624..5bb73ef 100644 --- a/controls/SV-238235.rb +++ b/controls/SV-238235.rb @@ -70,6 +70,7 @@ tag fix_id: 'F-41404r802382_fix ' tag cci: %w(CCI-000044 CCI-002238) tag nist: ['AC-7 a', 'AC-7 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238236.rb b/controls/SV-238236.rb index 3e95ddb..ea5ea76 100644 --- a/controls/SV-238236.rb +++ b/controls/SV-238236.rb @@ -71,6 +71,7 @@ tag fix_id: 'F-41405r653882_fix ' tag cci: ['CCI-002699'] tag nist: ['SI-6 b'] + tag 'host', 'container' describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do skip('manual test') diff --git a/controls/SV-238237.rb b/controls/SV-238237.rb index 43937c9..5b20802 100644 --- a/controls/SV-238237.rb +++ b/controls/SV-238237.rb @@ -30,6 +30,7 @@ tag fix_id: 'F-41406r653885_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238238.rb b/controls/SV-238238.rb index 451ff09..6f32362 100644 --- a/controls/SV-238238.rb +++ b/controls/SV-238238.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41407r653888_fix ' tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238239.rb b/controls/SV-238239.rb index 612346b..315a2c4 100644 --- a/controls/SV-238239.rb +++ b/controls/SV-238239.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41408r653891_fix ' tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238240.rb b/controls/SV-238240.rb index f6ac3f6..670a6ca 100644 --- a/controls/SV-238240.rb +++ b/controls/SV-238240.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41409r653894_fix ' tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238241.rb b/controls/SV-238241.rb index 4bae091..eae1502 100644 --- a/controls/SV-238241.rb +++ b/controls/SV-238241.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41410r653897_fix ' tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AU-12 c', 'AC-2 (4)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238242.rb b/controls/SV-238242.rb index 38ac48d..3aeaaa5 100644 --- a/controls/SV-238242.rb +++ b/controls/SV-238242.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41411r653900_fix ' tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130) tag nist: ['AC-2 (4)', 'AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238243.rb b/controls/SV-238243.rb index b98bf33..1f9e989 100644 --- a/controls/SV-238243.rb +++ b/controls/SV-238243.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41412r653903_fix ' tag cci: ['CCI-000139'] tag nist: ['AU-5 a'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238244.rb b/controls/SV-238244.rb index 8b3e694..d6f04c5 100644 --- a/controls/SV-238244.rb +++ b/controls/SV-238244.rb @@ -54,6 +54,7 @@ tag fix_id: 'F-41413r653906_fix ' tag cci: ['CCI-000140'] tag nist: ['AU-5 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238245.rb b/controls/SV-238245.rb index 64af0cb..c0c8318 100644 --- a/controls/SV-238245.rb +++ b/controls/SV-238245.rb @@ -52,6 +52,7 @@ tag fix_id: 'F-41414r653909_fix ' tag cci: %w(CCI-000162 CCI-000163) tag nist: ['AU-9 a'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238246.rb b/controls/SV-238246.rb index 9ff46d6..87a00d4 100644 --- a/controls/SV-238246.rb +++ b/controls/SV-238246.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41415r653912_fix ' tag cci: ['CCI-000162'] tag nist: ['AU-9 a'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238247.rb b/controls/SV-238247.rb index 00c64c7..a200d8b 100644 --- a/controls/SV-238247.rb +++ b/controls/SV-238247.rb @@ -55,6 +55,7 @@ tag fix_id: 'F-41416r832946_fix ' tag cci: ['CCI-000162'] tag nist: ['AU-9 a'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238248.rb b/controls/SV-238248.rb index dc1e233..e6741fb 100644 --- a/controls/SV-238248.rb +++ b/controls/SV-238248.rb @@ -57,6 +57,7 @@ tag fix_id: 'F-41417r653918_fix ' tag cci: ['CCI-000164'] tag nist: ['AU-9 a'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238249.rb b/controls/SV-238249.rb index a746223..ecf8162 100644 --- a/controls/SV-238249.rb +++ b/controls/SV-238249.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41418r653921_fix ' tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238250.rb b/controls/SV-238250.rb index 9883148..90a8b48 100644 --- a/controls/SV-238250.rb +++ b/controls/SV-238250.rb @@ -61,6 +61,7 @@ tag fix_id: 'F-41419r653924_fix ' tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238251.rb b/controls/SV-238251.rb index 969232d..370c64f 100644 --- a/controls/SV-238251.rb +++ b/controls/SV-238251.rb @@ -51,6 +51,7 @@ tag fix_id: 'F-41420r653927_fix ' tag cci: ['CCI-000171'] tag nist: ['AU-12 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238252.rb b/controls/SV-238252.rb index 493d240..e0cfa8d 100644 --- a/controls/SV-238252.rb +++ b/controls/SV-238252.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41421r653930_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238253.rb b/controls/SV-238253.rb index 33e7552..ab0239f 100644 --- a/controls/SV-238253.rb +++ b/controls/SV-238253.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41422r653933_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238254.rb b/controls/SV-238254.rb index 72b67f3..70a0453 100644 --- a/controls/SV-238254.rb +++ b/controls/SV-238254.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41423r653936_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238255.rb b/controls/SV-238255.rb index 0b0055a..0038275 100644 --- a/controls/SV-238255.rb +++ b/controls/SV-238255.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41424r653939_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238256.rb b/controls/SV-238256.rb index a64333e..7f453d2 100644 --- a/controls/SV-238256.rb +++ b/controls/SV-238256.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41425r653942_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238257.rb b/controls/SV-238257.rb index dbbacbf..7f6ced3 100644 --- a/controls/SV-238257.rb +++ b/controls/SV-238257.rb @@ -48,6 +48,7 @@ tag fix_id: 'F-41426r653945_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238258.rb b/controls/SV-238258.rb index b3e6cee..fa4daad 100644 --- a/controls/SV-238258.rb +++ b/controls/SV-238258.rb @@ -83,6 +83,7 @@ tag fix_id: 'F-41427r808473_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238264.rb b/controls/SV-238264.rb index cfd4e98..d98150a 100644 --- a/controls/SV-238264.rb +++ b/controls/SV-238264.rb @@ -68,6 +68,7 @@ tag fix_id: 'F-41433r808476_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238268.rb b/controls/SV-238268.rb index 23368a2..634c1cf 100644 --- a/controls/SV-238268.rb +++ b/controls/SV-238268.rb @@ -67,6 +67,7 @@ tag fix_id: 'F-41437r808479_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238271.rb b/controls/SV-238271.rb index c0331c0..8c78435 100644 --- a/controls/SV-238271.rb +++ b/controls/SV-238271.rb @@ -84,6 +84,7 @@ tag fix_id: 'F-41440r808482_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238277.rb b/controls/SV-238277.rb index 6599043..9cc8786 100644 --- a/controls/SV-238277.rb +++ b/controls/SV-238277.rb @@ -46,6 +46,7 @@ tag fix_id: 'F-41446r654005_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238278.rb b/controls/SV-238278.rb index 01ac7d7..50fdc7c 100644 --- a/controls/SV-238278.rb +++ b/controls/SV-238278.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41447r654008_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238279.rb b/controls/SV-238279.rb index d68940f..c29fc8b 100644 --- a/controls/SV-238279.rb +++ b/controls/SV-238279.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41448r654011_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238280.rb b/controls/SV-238280.rb index 5ba159b..39396d8 100644 --- a/controls/SV-238280.rb +++ b/controls/SV-238280.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41449r654014_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238281.rb b/controls/SV-238281.rb index bfe8d62..3a64f45 100644 --- a/controls/SV-238281.rb +++ b/controls/SV-238281.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41450r654017_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238282.rb b/controls/SV-238282.rb index 1d8e3ac..96a1fc4 100644 --- a/controls/SV-238282.rb +++ b/controls/SV-238282.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41451r654020_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238283.rb b/controls/SV-238283.rb index dcd5d7e..96ca00d 100644 --- a/controls/SV-238283.rb +++ b/controls/SV-238283.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41452r654023_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238284.rb b/controls/SV-238284.rb index 1836a81..6e346ab 100644 --- a/controls/SV-238284.rb +++ b/controls/SV-238284.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41453r654026_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238285.rb b/controls/SV-238285.rb index 0014c24..967994d 100644 --- a/controls/SV-238285.rb +++ b/controls/SV-238285.rb @@ -48,6 +48,7 @@ tag fix_id: 'F-41454r654029_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238286.rb b/controls/SV-238286.rb index 5866336..efb3f3d 100644 --- a/controls/SV-238286.rb +++ b/controls/SV-238286.rb @@ -48,6 +48,7 @@ tag fix_id: 'F-41455r654032_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238287.rb b/controls/SV-238287.rb index 56b4a91..2410e76 100644 --- a/controls/SV-238287.rb +++ b/controls/SV-238287.rb @@ -48,6 +48,7 @@ tag fix_id: 'F-41456r654035_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238288.rb b/controls/SV-238288.rb index 0e28457..08ff38f 100644 --- a/controls/SV-238288.rb +++ b/controls/SV-238288.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41457r832949_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238289.rb b/controls/SV-238289.rb index 84f46e6..9ff61c9 100644 --- a/controls/SV-238289.rb +++ b/controls/SV-238289.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41458r654041_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238290.rb b/controls/SV-238290.rb index 4c63696..5528a76 100644 --- a/controls/SV-238290.rb +++ b/controls/SV-238290.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41459r654044_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238291.rb b/controls/SV-238291.rb index 4534922..0aec859 100644 --- a/controls/SV-238291.rb +++ b/controls/SV-238291.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41460r654047_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238292.rb b/controls/SV-238292.rb index 2f0e3ae..81d86f9 100644 --- a/controls/SV-238292.rb +++ b/controls/SV-238292.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41461r654050_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238293.rb b/controls/SV-238293.rb index e513179..2b23708 100644 --- a/controls/SV-238293.rb +++ b/controls/SV-238293.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41462r654053_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238294.rb b/controls/SV-238294.rb index 999a3f5..0d5e737 100644 --- a/controls/SV-238294.rb +++ b/controls/SV-238294.rb @@ -49,6 +49,7 @@ tag fix_id: 'F-41463r654056_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238295.rb b/controls/SV-238295.rb index df01799..2d73471 100644 --- a/controls/SV-238295.rb +++ b/controls/SV-238295.rb @@ -68,6 +68,7 @@ tag fix_id: 'F-41464r808485_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238297.rb b/controls/SV-238297.rb index 9e7f432..5c6cc6b 100644 --- a/controls/SV-238297.rb +++ b/controls/SV-238297.rb @@ -60,6 +60,7 @@ tag fix_id: 'F-41466r654065_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238298.rb b/controls/SV-238298.rb index 46a76c3..d69d100 100644 --- a/controls/SV-238298.rb +++ b/controls/SV-238298.rb @@ -82,6 +82,7 @@ tag fix_id: 'F-41467r654068_fix ' tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914) tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238299.rb b/controls/SV-238299.rb index 56a88b5..9fe8332 100644 --- a/controls/SV-238299.rb +++ b/controls/SV-238299.rb @@ -36,6 +36,7 @@ tag fix_id: 'F-41468r654071_fix ' tag cci: ['CCI-001464'] tag nist: ['AU-14 (1)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238300.rb b/controls/SV-238300.rb index 96d8386..97944af 100644 --- a/controls/SV-238300.rb +++ b/controls/SV-238300.rb @@ -52,6 +52,7 @@ tag fix_id: 'F-41469r654074_fix ' tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238301.rb b/controls/SV-238301.rb index dc1d65f..d04822d 100644 --- a/controls/SV-238301.rb +++ b/controls/SV-238301.rb @@ -52,6 +52,7 @@ tag fix_id: 'F-41470r654077_fix ' tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238302.rb b/controls/SV-238302.rb index cc1c576..35d675c 100644 --- a/controls/SV-238302.rb +++ b/controls/SV-238302.rb @@ -53,6 +53,7 @@ tag fix_id: 'F-41471r654080_fix ' tag cci: %w(CCI-001493 CCI-001494) tag nist: ['AU-9 a', 'AU-9'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238303.rb b/controls/SV-238303.rb index a725db7..800b451 100644 --- a/controls/SV-238303.rb +++ b/controls/SV-238303.rb @@ -68,6 +68,7 @@ tag fix_id: 'F-41472r654083_fix ' tag cci: ['CCI-001496'] tag nist: ['AU-9 (3)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238304.rb b/controls/SV-238304.rb index 08a577e..018142d 100644 --- a/controls/SV-238304.rb +++ b/controls/SV-238304.rb @@ -69,6 +69,7 @@ tag fix_id: 'F-41473r654086_fix ' tag cci: %w(CCI-002233 CCI-002234) tag nist: ['AC-6 (8)', 'AC-6 (9)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238305.rb b/controls/SV-238305.rb index 5dbc9a2..49e491f 100644 --- a/controls/SV-238305.rb +++ b/controls/SV-238305.rb @@ -71,6 +71,7 @@ tag fix_id: 'F-41474r654089_fix ' tag cci: ['CCI-001849'] tag nist: ['AU-4'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238306.rb b/controls/SV-238306.rb index a050971..5185f11 100644 --- a/controls/SV-238306.rb +++ b/controls/SV-238306.rb @@ -78,6 +78,7 @@ tag fix_id: 'F-41475r654092_fix ' tag cci: ['CCI-001851'] tag nist: ['AU-4 (1)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238307.rb b/controls/SV-238307.rb index 3338bd6..ac472af 100644 --- a/controls/SV-238307.rb +++ b/controls/SV-238307.rb @@ -69,6 +69,7 @@ tag fix_id: 'F-41476r654095_fix ' tag cci: ['CCI-001855'] tag nist: ['AU-5 (1)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238308.rb b/controls/SV-238308.rb index 7a3aaf4..71e11ff 100644 --- a/controls/SV-238308.rb +++ b/controls/SV-238308.rb @@ -28,6 +28,7 @@ tag fix_id: 'F-41477r654098_fix ' tag cci: ['CCI-001890'] tag nist: ['AU-8 b'] + tag 'host', 'container' time_zone = command('timedatectl status | grep -i "time zone"').stdout.strip diff --git a/controls/SV-238309.rb b/controls/SV-238309.rb index 6aab4ef..1830326 100644 --- a/controls/SV-238309.rb +++ b/controls/SV-238309.rb @@ -61,6 +61,7 @@ tag fix_id: 'F-41478r654101_fix ' tag cci: %w(CCI-000172 CCI-002884) tag nist: ['AU-12 c', 'MA-4 (1) (a)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238310.rb b/controls/SV-238310.rb index 5511378..1bdb4ab 100644 --- a/controls/SV-238310.rb +++ b/controls/SV-238310.rb @@ -66,6 +66,7 @@ tag fix_id: 'F-41479r832952_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238315.rb b/controls/SV-238315.rb index a0f055a..4d71225 100644 --- a/controls/SV-238315.rb +++ b/controls/SV-238315.rb @@ -44,6 +44,7 @@ tag fix_id: 'F-41484r654119_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238316.rb b/controls/SV-238316.rb index fac5c0d..69e821e 100644 --- a/controls/SV-238316.rb +++ b/controls/SV-238316.rb @@ -44,6 +44,7 @@ tag fix_id: 'F-41485r654122_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238317.rb b/controls/SV-238317.rb index eb4daa4..b4de442 100644 --- a/controls/SV-238317.rb +++ b/controls/SV-238317.rb @@ -44,6 +44,7 @@ tag fix_id: 'F-41486r654125_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238318.rb b/controls/SV-238318.rb index d5d05e3..31c90c8 100644 --- a/controls/SV-238318.rb +++ b/controls/SV-238318.rb @@ -42,6 +42,7 @@ tag fix_id: 'F-41487r654128_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238319.rb b/controls/SV-238319.rb index db22086..40bd537 100644 --- a/controls/SV-238319.rb +++ b/controls/SV-238319.rb @@ -45,6 +45,7 @@ tag fix_id: 'F-41488r654131_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238320.rb b/controls/SV-238320.rb index 9bd58d5..d2f6f3f 100644 --- a/controls/SV-238320.rb +++ b/controls/SV-238320.rb @@ -45,6 +45,7 @@ tag fix_id: 'F-41489r832955_fix ' tag cci: ['CCI-000172'] tag nist: ['AU-12 c'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238321.rb b/controls/SV-238321.rb index 4c1d193..c1cc561 100644 --- a/controls/SV-238321.rb +++ b/controls/SV-238321.rb @@ -37,6 +37,7 @@ tag fix_id: 'F-41490r654137_fix ' tag cci: ['CCI-001851'] tag nist: ['AU-4 (1)'] + tag 'host', 'container' cron_file = input('auditoffload_config_file') cron_file_exists = file(cron_file).exist? diff --git a/controls/SV-238323.rb b/controls/SV-238323.rb index be74576..1742bb1 100644 --- a/controls/SV-238323.rb +++ b/controls/SV-238323.rb @@ -39,6 +39,7 @@ tag fix_id: 'F-41492r654143_fix ' tag cci: ['CCI-000054'] tag nist: ['AC-10'] + tag 'host', 'container' describe limits_conf do its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] } diff --git a/controls/SV-238324.rb b/controls/SV-238324.rb index 96d72e8..e7acac7 100644 --- a/controls/SV-238324.rb +++ b/controls/SV-238324.rb @@ -49,6 +49,7 @@ tag fix_id: 'F-41493r832958_fix ' tag cci: ['CCI-000067'] tag nist: ['AC-17 (1)'] + tag 'host', 'container' options = { assignment_regex: /^\s*([^:]*?)\s*\t\s*(.*?)\s*$/, diff --git a/controls/SV-238325.rb b/controls/SV-238325.rb index 474f815..91e83af 100644 --- a/controls/SV-238325.rb +++ b/controls/SV-238325.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41494r654149_fix ' tag cci: ['CCI-000803'] tag nist: ['IA-7'] + tag 'host' if input('disable_fips') impact 0.0 diff --git a/controls/SV-238326.rb b/controls/SV-238326.rb index cf82c33..f99a6a2 100644 --- a/controls/SV-238326.rb +++ b/controls/SV-238326.rb @@ -22,6 +22,7 @@ tag fix_id: 'F-41495r654152_fix ' tag cci: ['CCI-000197'] tag nist: ['IA-5 (1) (c)'] + tag 'host', 'container' describe package('telnetd') do it { should_not be_installed } diff --git a/controls/SV-238327.rb b/controls/SV-238327.rb index 8d603ce..e04ac7c 100644 --- a/controls/SV-238327.rb +++ b/controls/SV-238327.rb @@ -34,6 +34,7 @@ tag fix_id: 'F-41496r654155_fix ' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] + tag 'host', 'container' describe package('rsh-server') do it { should_not be_installed } diff --git a/controls/SV-238328.rb b/controls/SV-238328.rb index d2ad226..a06ea2a 100644 --- a/controls/SV-238328.rb +++ b/controls/SV-238328.rb @@ -77,6 +77,7 @@ tag fix_id: 'F-41497r654158_fix ' tag cci: ['CCI-000382'] tag nist: ['CM-7 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238329.rb b/controls/SV-238329.rb index 701dd43..83c2bb5 100644 --- a/controls/SV-238329.rb +++ b/controls/SV-238329.rb @@ -46,6 +46,7 @@ tag fix_id: 'F-41498r654161_fix ' tag cci: ['CCI-000770'] tag nist: ['IA-2 (5)'] + tag 'host', 'container' describe.one do describe shadow.where(user: 'root') do diff --git a/controls/SV-238330.rb b/controls/SV-238330.rb index e7673b5..224ffab 100644 --- a/controls/SV-238330.rb +++ b/controls/SV-238330.rb @@ -41,6 +41,7 @@ tag fix_id: 'F-41499r654164_fix ' tag cci: ['CCI-000795'] tag nist: ['IA-4 e'] + tag 'host', 'container' config_file = input('useradd_config_file') config_file_exists = file(config_file).exist? diff --git a/controls/SV-238331.rb b/controls/SV-238331.rb index c8da489..45f27b6 100644 --- a/controls/SV-238331.rb +++ b/controls/SV-238331.rb @@ -42,6 +42,7 @@ tag fix_id: 'F-41500r654167_fix ' tag cci: ['CCI-001682'] tag nist: ['AC-2 (2)'] + tag 'host', 'container' describe 'Manual verification required' do skip 'Manually verify if emergency account must be created diff --git a/controls/SV-238332.rb b/controls/SV-238332.rb index 2949698..7327c74 100644 --- a/controls/SV-238332.rb +++ b/controls/SV-238332.rb @@ -44,6 +44,7 @@ tag fix_id: 'F-41501r654170_fix ' tag cci: ['CCI-001090'] tag nist: ['SC-4'] + tag 'host', 'container' lines = command('find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null').stdout.strip.split("\n").entries if lines.count > 0 diff --git a/controls/SV-238333.rb b/controls/SV-238333.rb index 2c3f0e0..f8da09a 100644 --- a/controls/SV-238333.rb +++ b/controls/SV-238333.rb @@ -46,6 +46,7 @@ tag fix_id: 'F-41502r654173_fix ' tag cci: ['CCI-001095'] tag nist: ['SC-5 (2)'] + tag 'host', 'container' describe kernel_parameter('net.ipv4.tcp_syncookies') do its('value') { should cmp 1 } diff --git a/controls/SV-238334.rb b/controls/SV-238334.rb index b8609d4..47342a3 100644 --- a/controls/SV-238334.rb +++ b/controls/SV-238334.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41503r654176_fix ' tag cci: ['CCI-001190'] tag nist: ['SC-24'] + tag 'host', 'container' is_kdump_required = input('is_kdump_required') if is_kdump_required diff --git a/controls/SV-238335.rb b/controls/SV-238335.rb index f4dd4b9..2e65e74 100644 --- a/controls/SV-238335.rb +++ b/controls/SV-238335.rb @@ -65,6 +65,7 @@ tag fix_id: 'F-41504r654179_fix ' tag cci: ['CCI-001199'] tag nist: ['SC-28'] + tag 'host', 'container' describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' diff --git a/controls/SV-238336.rb b/controls/SV-238336.rb index 975a2b7..f959296 100644 --- a/controls/SV-238336.rb +++ b/controls/SV-238336.rb @@ -43,6 +43,7 @@ tag fix_id: 'F-41505r858537_fix ' tag cci: ['CCI-001233'] tag nist: ['SI-2 (2)'] + tag 'host', 'container' describe package('mfetp') do it { should be_installed } diff --git a/controls/SV-238337.rb b/controls/SV-238337.rb index 48f4e2a..1c05237 100644 --- a/controls/SV-238337.rb +++ b/controls/SV-238337.rb @@ -36,6 +36,7 @@ tag fix_id: 'F-41506r654185_fix ' tag cci: ['CCI-001312'] tag nist: ['SI-11 a'] + tag 'host', 'container' log_files = command('find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;').stdout.strip.split("\n").entries diff --git a/controls/SV-238338.rb b/controls/SV-238338.rb index b8085c3..6d0839e 100644 --- a/controls/SV-238338.rb +++ b/controls/SV-238338.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41507r654188_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe directory('/var/log') do its('group') { should cmp 'syslog' } diff --git a/controls/SV-238339.rb b/controls/SV-238339.rb index 29e3f73..7c1eee7 100644 --- a/controls/SV-238339.rb +++ b/controls/SV-238339.rb @@ -31,6 +31,7 @@ tag fix_id: 'F-41508r654191_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe directory('/var/log') do its('owner') { should cmp 'root' } diff --git a/controls/SV-238340.rb b/controls/SV-238340.rb index 0521fe7..861cc14 100644 --- a/controls/SV-238340.rb +++ b/controls/SV-238340.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41509r654194_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe directory('/var/log') do it { should_not be_more_permissive_than('0750') } diff --git a/controls/SV-238341.rb b/controls/SV-238341.rb index 09b2b1f..8f50c1c 100644 --- a/controls/SV-238341.rb +++ b/controls/SV-238341.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41510r654197_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe file('/var/log/syslog') do its('group') { should cmp 'adm' } diff --git a/controls/SV-238342.rb b/controls/SV-238342.rb index fbbe75b..57adbe9 100644 --- a/controls/SV-238342.rb +++ b/controls/SV-238342.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41511r654200_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe file('/var/log/syslog') do its('owner') { should cmp 'syslog' } diff --git a/controls/SV-238343.rb b/controls/SV-238343.rb index 4ed135d..de0ac60 100644 --- a/controls/SV-238343.rb +++ b/controls/SV-238343.rb @@ -34,6 +34,7 @@ tag fix_id: 'F-41512r654203_fix ' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + tag 'host', 'container' describe file('/var/log/syslog') do it { should_not be_more_permissive_than('0640') } diff --git a/controls/SV-238344.rb b/controls/SV-238344.rb index 4b083ea..26a1d93 100644 --- a/controls/SV-238344.rb +++ b/controls/SV-238344.rb @@ -47,6 +47,7 @@ tag fix_id: 'F-41513r654206_fix ' tag cci: ['CCI-001495'] tag nist: ['AU-9'] + tag 'host', 'container' system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238345.rb b/controls/SV-238345.rb index b6bedbf..1174487 100644 --- a/controls/SV-238345.rb +++ b/controls/SV-238345.rb @@ -46,6 +46,7 @@ tag fix_id: 'F-41514r654209_fix ' tag cci: ['CCI-001495'] tag nist: ['AU-9'] + tag 'host', 'container' system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238346.rb b/controls/SV-238346.rb index 8ad1ade..2adf454 100644 --- a/controls/SV-238346.rb +++ b/controls/SV-238346.rb @@ -47,7 +47,8 @@ tag fix_id: 'F-41515r654212_fix ' tag cci: ['CCI-001495'] tag nist: ['AU-9'] - # CHECK + tag 'host', 'container' + system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238347.rb b/controls/SV-238347.rb index b160b87..83be55c 100644 --- a/controls/SV-238347.rb +++ b/controls/SV-238347.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41516r654215_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_files = if os.arch == 'x86_64' command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split("\n").entries diff --git a/controls/SV-238348.rb b/controls/SV-238348.rb index 00cb272..efd52f3 100644 --- a/controls/SV-238348.rb +++ b/controls/SV-238348.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41517r654218_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_dirs = if os.arch == 'x86_64' command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split("\n").entries diff --git a/controls/SV-238349.rb b/controls/SV-238349.rb index 82b8e7a..2032c8a 100644 --- a/controls/SV-238349.rb +++ b/controls/SV-238349.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41518r654221_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_files = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type f').stdout.strip.split("\n").entries diff --git a/controls/SV-238350.rb b/controls/SV-238350.rb index e2e4958..2fdb596 100644 --- a/controls/SV-238350.rb +++ b/controls/SV-238350.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41519r654224_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_dirs = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-user root \-type d').stdout.strip.split("\n").entries diff --git a/controls/SV-238351.rb b/controls/SV-238351.rb index 59483bc..7d0afe2 100644 --- a/controls/SV-238351.rb +++ b/controls/SV-238351.rb @@ -33,6 +33,7 @@ tag fix_id: 'F-41520r832961_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_files = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type f').stdout.strip.split("\n").entries diff --git a/controls/SV-238352.rb b/controls/SV-238352.rb index b89c6f7..9c2d442 100644 --- a/controls/SV-238352.rb +++ b/controls/SV-238352.rb @@ -32,6 +32,7 @@ tag fix_id: 'F-41521r654230_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' library_directories = if os.arch == 'x86_64' command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \-group root \-type d').stdout.strip.split("\n").entries diff --git a/controls/SV-238353.rb b/controls/SV-238353.rb index dfac375..1086183 100644 --- a/controls/SV-238353.rb +++ b/controls/SV-238353.rb @@ -61,6 +61,7 @@ tag fix_id: 'F-41522r654233_fix ' tag cci: ['CCI-001665'] tag nist: ['SC-24'] + tag 'host', 'container' describe service('rsyslog') do it { should be_installed } diff --git a/controls/SV-238354.rb b/controls/SV-238354.rb index 5d12836..f242144 100644 --- a/controls/SV-238354.rb +++ b/controls/SV-238354.rb @@ -41,6 +41,7 @@ tag fix_id: 'F-41523r654236_fix ' tag cci: ['CCI-002314'] tag nist: ['AC-17 (1)'] + tag 'host', 'container' describe package('ufw') do it { should be_installed } diff --git a/controls/SV-238355.rb b/controls/SV-238355.rb index 87a98a8..0717a03 100644 --- a/controls/SV-238355.rb +++ b/controls/SV-238355.rb @@ -49,6 +49,7 @@ tag fix_id: 'F-41524r654239_fix ' tag cci: ['CCI-002314'] tag nist: ['AC-17 (1)'] + tag 'host', 'container' describe service('ufw') do it { should be_installed } diff --git a/controls/SV-238356.rb b/controls/SV-238356.rb index f37dbc7..fdbd3ed 100644 --- a/controls/SV-238356.rb +++ b/controls/SV-238356.rb @@ -69,6 +69,7 @@ tag fix_id: 'F-41525r808491_fix ' tag cci: ['CCI-001891'] tag nist: ['AU-8 (1) (a)'] + tag 'host', 'container' is_system_networked = input('is_system_networked') diff --git a/controls/SV-238357.rb b/controls/SV-238357.rb index d75e7d6..e5020d1 100644 --- a/controls/SV-238357.rb +++ b/controls/SV-238357.rb @@ -49,6 +49,7 @@ tag fix_id: 'F-41526r654245_fix ' tag cci: ['CCI-002046'] tag nist: ['AU-8 (1) (b)'] + tag 'host', 'container' chrony_file_path = input('chrony_config_file') chrony_file = file(chrony_file_path) diff --git a/controls/SV-238358.rb b/controls/SV-238358.rb index fc28b81..295356a 100644 --- a/controls/SV-238358.rb +++ b/controls/SV-238358.rb @@ -41,6 +41,7 @@ tag fix_id: 'F-41527r654248_fix ' tag cci: ['CCI-001744'] tag nist: ['CM-3 (5)'] + tag 'host', 'container' describe file('/etc/default/aide') do it { should exist } diff --git a/controls/SV-238359.rb b/controls/SV-238359.rb index 040819e..005cb8f 100644 --- a/controls/SV-238359.rb +++ b/controls/SV-238359.rb @@ -53,6 +53,7 @@ tag fix_id: 'F-41528r654251_fix ' tag cci: ['CCI-001749'] tag nist: ['CM-5 (3)'] + tag 'host', 'container' describe directory('/etc/apt/apt.conf.d') do it { should exist } diff --git a/controls/SV-238360.rb b/controls/SV-238360.rb index 17c5daa..88d018c 100644 --- a/controls/SV-238360.rb +++ b/controls/SV-238360.rb @@ -68,6 +68,7 @@ tag fix_id: 'F-41529r654254_fix ' tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235) tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)'] + tag 'host', 'container' describe service('apparmor') do it { should be_installed } diff --git a/controls/SV-238361.rb b/controls/SV-238361.rb index a66b814..3db20e8 100644 --- a/controls/SV-238361.rb +++ b/controls/SV-238361.rb @@ -35,6 +35,7 @@ tag fix_id: 'F-41530r654257_fix ' tag cci: ['CCI-002041'] tag nist: ['IA-5 (1) (f)'] + tag 'host', 'container' describe 'Manual verification required' do skip 'Manually verify if a policy exists to ensure that a method exists to force temporary diff --git a/controls/SV-238362.rb b/controls/SV-238362.rb index 697f169..c70399b 100644 --- a/controls/SV-238362.rb +++ b/controls/SV-238362.rb @@ -35,6 +35,7 @@ tag fix_id: 'F-41531r654260_fix ' tag cci: ['CCI-002007'] tag nist: ['IA-5 (13)'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238363.rb b/controls/SV-238363.rb index bba9dc7..f78acb3 100644 --- a/controls/SV-238363.rb +++ b/controls/SV-238363.rb @@ -37,6 +37,7 @@ tag fix_id: 'F-41532r654263_fix ' tag cci: ['CCI-002450'] tag nist: ['SC-13 b'] + tag 'host' if input('disable_fips') impact 0.0 diff --git a/controls/SV-238364.rb b/controls/SV-238364.rb index 88b59e9..3f008c3 100644 --- a/controls/SV-238364.rb +++ b/controls/SV-238364.rb @@ -50,6 +50,7 @@ tag fix_id: 'F-41533r860823_fix ' tag cci: ['CCI-002470'] tag nist: ['SC-23 (5)'] + tag 'host', 'container' allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex') find_command = ''" diff --git a/controls/SV-238365.rb b/controls/SV-238365.rb index 6f71a32..144c557 100644 --- a/controls/SV-238365.rb +++ b/controls/SV-238365.rb @@ -64,6 +64,7 @@ tag fix_id: 'F-41534r654269_fix ' tag cci: ['CCI-002475'] tag nist: ['SC-28 (1)'] + tag 'host', 'container' describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' diff --git a/controls/SV-238366.rb b/controls/SV-238366.rb index 28e309c..01a2f49 100644 --- a/controls/SV-238366.rb +++ b/controls/SV-238366.rb @@ -64,6 +64,7 @@ tag fix_id: 'F-41535r654272_fix ' tag cci: ['CCI-002476'] tag nist: ['SC-28 (1)'] + tag 'host', 'container' describe 'Not Applicable' do skip 'Encryption of data at rest is handled by the IaaS' diff --git a/controls/SV-238367.rb b/controls/SV-238367.rb index 43a6a10..fc5e06f 100644 --- a/controls/SV-238367.rb +++ b/controls/SV-238367.rb @@ -72,6 +72,7 @@ tag fix_id: 'F-41536r654275_fix ' tag cci: ['CCI-002385'] tag nist: ['SC-5 a'] + tag 'host', 'container' describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do skip 'Status listings checks must be preformed manually' diff --git a/controls/SV-238368.rb b/controls/SV-238368.rb index 6da4d16..2ba2158 100644 --- a/controls/SV-238368.rb +++ b/controls/SV-238368.rb @@ -39,6 +39,7 @@ tag fix_id: 'F-41537r654278_fix ' tag cci: ['CCI-002824'] tag nist: ['SI-16'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238369.rb b/controls/SV-238369.rb index 5f6dcd4..9e2a6c5 100644 --- a/controls/SV-238369.rb +++ b/controls/SV-238369.rb @@ -53,6 +53,7 @@ tag fix_id: 'F-41538r654281_fix ' tag cci: ['CCI-002824'] tag nist: ['SI-16'] + tag 'host', 'container' describe kernel_parameter('kernel.randomize_va_space') do its('value') { should cmp 2 } diff --git a/controls/SV-238370.rb b/controls/SV-238370.rb index 58734b2..2afd8eb 100644 --- a/controls/SV-238370.rb +++ b/controls/SV-238370.rb @@ -37,6 +37,7 @@ tag fix_id: 'F-41539r654284_fix ' tag cci: ['CCI-002617'] tag nist: ['SI-2 (6)'] + tag 'host', 'container' describe directory('/etc/apt/apt.conf.d') do it { should exist } diff --git a/controls/SV-238371.rb b/controls/SV-238371.rb index 11a8b3b..c1a3bbd 100644 --- a/controls/SV-238371.rb +++ b/controls/SV-238371.rb @@ -39,6 +39,7 @@ tag fix_id: 'F-41540r654287_fix ' tag cci: ['CCI-002696'] tag nist: ['SI-6 a'] + tag 'host', 'container' describe package('aide') do it { should be_installed } diff --git a/controls/SV-238372.rb b/controls/SV-238372.rb index ba57f0c..cab90fc 100644 --- a/controls/SV-238372.rb +++ b/controls/SV-238372.rb @@ -38,6 +38,7 @@ tag fix_id: 'F-41541r654290_fix ' tag cci: ['CCI-002702'] tag nist: ['SI-6 d'] + tag 'host', 'container' describe file('/etc/default/aide') do it { should exist } diff --git a/controls/SV-238373.rb b/controls/SV-238373.rb index 3a64eda..d53259d 100644 --- a/controls/SV-238373.rb +++ b/controls/SV-238373.rb @@ -38,6 +38,7 @@ tag fix_id: 'F-41542r654293_fix ' tag cci: ['CCI-000052'] tag nist: ['AC-9'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-238374.rb b/controls/SV-238374.rb index 086ecf6..06ff7ed 100644 --- a/controls/SV-238374.rb +++ b/controls/SV-238374.rb @@ -35,6 +35,7 @@ tag fix_id: 'F-41543r654296_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe service('ufw') do it { should be_installed } diff --git a/controls/SV-238376.rb b/controls/SV-238376.rb index 5736f99..88d37ff 100644 --- a/controls/SV-238376.rb +++ b/controls/SV-238376.rb @@ -43,6 +43,7 @@ tag fix_id: 'F-41545r654302_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238377.rb b/controls/SV-238377.rb index 486d94e..74e4333 100644 --- a/controls/SV-238377.rb +++ b/controls/SV-238377.rb @@ -43,6 +43,7 @@ tag fix_id: 'F-41546r832967_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238378.rb b/controls/SV-238378.rb index 53f4177..370590c 100644 --- a/controls/SV-238378.rb +++ b/controls/SV-238378.rb @@ -44,6 +44,7 @@ tag fix_id: 'F-41547r832970_fix ' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + tag 'host', 'container' system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split("\n").entries valid_system_commands = Set[] diff --git a/controls/SV-238379.rb b/controls/SV-238379.rb index b5d5117..2964bf1 100644 --- a/controls/SV-238379.rb +++ b/controls/SV-238379.rb @@ -43,6 +43,7 @@ tag fix_id: 'F-41548r654311_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' xorg_status = command('which Xorg').exit_status if xorg_status == 0 diff --git a/controls/SV-238380.rb b/controls/SV-238380.rb index 3770b91..8521af9 100644 --- a/controls/SV-238380.rb +++ b/controls/SV-238380.rb @@ -40,6 +40,7 @@ tag fix_id: 'F-41549r832973_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe service('ctrl-alt-del.target') do it { should_not be_running } diff --git a/controls/SV-251503.rb b/controls/SV-251503.rb index 565c101..eea435d 100644 --- a/controls/SV-251503.rb +++ b/controls/SV-251503.rb @@ -26,6 +26,7 @@ tag fix_id: 'F-54892r808505_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host', 'container' describe command("sudo awk -F: '!$2 {print $1}' /etc/shadow") do its('stdout') { should be_empty } diff --git a/controls/SV-251504.rb b/controls/SV-251504.rb index 55b243a..d159e01 100644 --- a/controls/SV-251504.rb +++ b/controls/SV-251504.rb @@ -27,6 +27,7 @@ tag fix_id: 'F-54893r832976_fix ' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-251505.rb b/controls/SV-251505.rb index 95c9539..924a9dd 100644 --- a/controls/SV-251505.rb +++ b/controls/SV-251505.rb @@ -49,6 +49,7 @@ tag fix_id: 'F-54894r808511_fix ' tag cci: ['CCI-001958'] tag nist: ['IA-3'] + tag 'host' if virtualization.system.eql?('docker') impact 0.0 diff --git a/controls/SV-252704.rb b/controls/SV-252704.rb index aad1d9b..c5e5b1c 100644 --- a/controls/SV-252704.rb +++ b/controls/SV-252704.rb @@ -72,6 +72,7 @@ module with the following command: tag fix_id: 'F-56110r819056_fix ' tag cci: ['CCI-002418'] tag nist: ['SC-8'] + tag 'host', 'container' describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do its('stdout.lines') { should be_in input('approved_wireless_interfaces') } From b434e90d3ab1ba1bb6b9d41e31ba60963f8e45e0 Mon Sep 17 00:00:00 2001 From: HackerShark Date: Fri, 9 Dec 2022 19:27:13 +0000 Subject: [PATCH 100/100] Updating profile.json in the repository --- profile.json | 915 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 582 insertions(+), 333 deletions(-) diff --git a/profile.json b/profile.json index 2aeec68..c28e2bd 100644 --- a/profile.json +++ b/profile.json @@ -226,9 +226,11 @@ ], "nist": [ "AC-17 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238355' do\n title 'The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl is-enabled ufw\n\nIf the above command returns the status as \\\"disabled\\\", this is\na finding.\n\nVerify the Uncomplicated Firewall is active on the system by running the\nfollowing command:\n\n$ systemctl is-active ufw\n\nIf the above command returns \\\"inactive\\\" or\nany kind of error, this is a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the\nSystem Administrator if another application firewall is installed.\n\nIf no application\nfirewall is installed, this is a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\n--now ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238355 '\n tag rid: 'SV-238355r853430_rule '\n tag stig_id: 'UBTU-20-010434 '\n tag fix_id: 'F-41524r654239_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { "ref": "./controls/SV-238355.rb", "line": 1 @@ -257,9 +259,11 @@ ], "nist": [ "IA-2 (12)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238231' do\n title 'The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. '\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system accepts PIV credentials.\n\nVerify the \\\"opensc-pcks11\\\"\npackage is installed on the system with the following command:\n\n$ dpkg -l | grep\nopensc-pkcs11\n\nii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with\nsupport for PKCS#15 compatible cards\n\nIf the \\\"opensc-pcks11\\\" package is not installed,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to accept PIV credentials.\n\nInstall the\n\\\"opensc-pkcs11\\\" package using the following command:\n\n$ sudo apt-get install\nopensc-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000376-GPOS-00161 '\n tag gid: 'V-238231 '\n tag rid: 'SV-238231r853411_rule '\n tag stig_id: 'UBTU-20-010064 '\n tag fix_id: 'F-41400r653867_fix '\n tag cci: ['CCI-001953']\n tag nist: ['IA-2 (12)']\n tag 'host', 'container'\n\n describe package('opensc-pkcs11') do\n it { should be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238231.rb", "line": 1 @@ -288,9 +292,11 @@ ], "nist": [ "CM-7 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-238327' do\n title 'The Ubuntu operating system must not have the rsh-server package installed. '\n desc \"It is detrimental for operating systems to provide, or install by default, functionality\nexceeding requirements or mission objectives. These unnecessary capabilities or services\nare often overlooked and therefore may remain unsecured. They increase the risk to the\nplatform by providing additional attack vectors.\n\nOperating systems are capable of\nproviding a wide variety of functions and services. Some of the functions and services,\nprovided by default, may not be necessary to support essential organizational operations\n(e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but\nare not limited to, games, software packages, tools, and demonstration software, not\nrelated to requirements or providing a wide array of functionality not required for every\nmission, but which cannot be disabled. \"\n desc 'check', \"Verify the rsh-server package is installed with the following command:\n\n$ dpkg -l | grep\nrsh-server\n\nIf the rsh-server package is installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable non-essential capabilities by removing\nthe rsh-server package from the system with the following command:\n\n$ sudo apt-get remove\nrsh-server \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000095-GPOS-00049 '\n tag gid: 'V-238327 '\n tag rid: 'SV-238327r654156_rule '\n tag stig_id: 'UBTU-20-010406 '\n tag fix_id: 'F-41496r654155_fix '\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n tag 'host', 'container'\n\n describe package('rsh-server') do\n it { should_not be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238327.rb", "line": 1 @@ -319,9 +325,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238281' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chcon command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chcon\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep chcon\n\n-a always,exit -F\npath=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chcon\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chcon -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238281 '\n tag rid: 'SV-238281r654018_rule '\n tag stig_id: 'UBTU-20-010165 '\n tag fix_id: 'F-41450r654017_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chcon'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238281.rb", "line": 1 @@ -350,9 +357,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238347' do\n title 'The Ubuntu operating system library files must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" have mode 0755 or less permissive with the following command:\n\n$ sudo find\n/lib /lib64 /usr/lib -perm /022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\n/usr/lib64/pkcs11-spy.so\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the library files to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238347 '\n tag rid: 'SV-238347r654216_rule '\n tag stig_id: 'UBTU-20-010426 '\n tag fix_id: 'F-41516r654215_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are less permissive than 0755' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238347.rb", "line": 1 @@ -390,9 +399,10 @@ "AC-17 (2)", "SC-8 (1)", "MA-4 (6)" - ] + ], + "host": null }, - "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n", + "code": "control 'SV-238217' do\n title \"The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers\nto prevent the unauthorized disclosure of information and/or detect changes to information\nduring transmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nNonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\nBy specifying a cipher list with the order of ciphers being in a \\\"strongest to\nweakest\\\" orientation, the system will automatically attempt to use the strongest cipher for\nsecuring SSH connections.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running\nthe following command:\n\n$ grep -r 'Ciphers' /etc/ssh/sshd_config*\n\nCiphers\naes256-ctr,aes192-ctr,aes128-ctr\n\nIf any ciphers other than \\\"aes256-ctr\\\",\n\\\"aes192-ctr\\\", or \\\"aes128-ctr\\\" are listed, the order differs from the example above, the\n\\\"Ciphers\\\" keyword is missing, or the returned line is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only implement\nFIPS-approved algorithms.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\n\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n\nRestart the SSH daemon for the changes to\ntake effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000033-GPOS-00014 SRG-OS-000394-GPOS-00174)\n tag gid: 'V-238217 '\n tag rid: 'SV-238217r860821_rule '\n tag stig_id: 'UBTU-20-010044 '\n tag fix_id: 'F-41386r653825_fix '\n tag cci: %w(CCI-000068 CCI-002421 CCI-003123)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @ciphers_array = inspec.sshd_config.params['ciphers']\n\n @ciphers_array = @ciphers_array.first.split(',') unless @ciphers_array.nil?\n\n describe @ciphers_array do\n it { should be_in %w(aes256-ctr aes192-ctr aes128-ctr) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238217.rb", "line": 1 @@ -430,9 +440,10 @@ "AC-17 (2)", "SC-8 (1)", "MA-4 (6)" - ] + ], + "host": null }, - "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", + "code": "control 'SV-238216' do\n title \"The Ubuntu operating system must configure the SSH daemon to use Message Authentication\nCodes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the\nunauthorized disclosure of information and/or detect changes to information during\ntransmission. \"\n desc \"Without cryptographic integrity protections, information can be altered by unauthorized\nusers without detection.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are\nthose activities conducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network.\n\nLocal maintenance and\ndiagnostic activities are those activities carried out by individuals physically present\nat the information system or information system component and not communicating across a\nnetwork connection.\n\nEncrypting information for transmission protects information from\nunauthorized disclosure and modification. Cryptographic mechanisms implemented to\nprotect information integrity include, for example, cryptographic hash functions which\nhave common application in digital signatures, checksums, and message authentication\ncodes.\n\n \"\n desc 'check', \"Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers\nwith the following command:\n\n$ grep -ir macs /etc/ssh/sshd_config*\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nIf any ciphers other than \\\"hmac-sha2-512\\\" or\n\\\"hmac-sha2-256\\\" are listed, the order differs from the example above, or the returned line is\ncommented out, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS\n140-2 approved ciphers.\n\nAdd the following line (or modify the line to have the required\nvalue) to the \\\"/etc/ssh/sshd_config\\\" file (this file may be named differently or be in a\ndifferent location if using a version of SSH that is provided by a third-party vendor):\n\nMACs\nhmac-sha2-512,hmac-sha2-256\n\nRestart the SSH daemon for the changes to take effect:\n\n$\nsudo systemctl reload sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000424-GPOS-00188 '\n tag satisfies: %w(SRG-OS-000424-GPOS-00188 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173)\n tag gid: 'V-238216 '\n tag rid: 'SV-238216r860820_rule '\n tag stig_id: 'UBTU-20-010043 '\n tag fix_id: 'F-41385r653822_fix '\n tag cci: %w(CCI-001453 CCI-002421 CCI-002890)\n tag nist: ['AC-17 (2)', 'SC-8 (1)', 'MA-4 (6)']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n @macs_array = inspec.sshd_config.params['macs']\n\n @macs_array = @macs_array.first.split(',') unless @macs_array.nil?\n\n describe @macs_array do\n it { should be_in %w(hmac-sha2-256 hmac-sha2-512) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238216.rb", "line": 1 @@ -461,9 +472,11 @@ ], "nist": [ "IA-2 (5)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n", + "code": "control 'SV-238329' do\n title 'The Ubuntu operating system must prevent direct login into the root account. '\n desc \"To assure individual accountability and prevent unauthorized access, organizational\nusers must be individually identified and authenticated.\n\nA group authenticator is a\ngeneric account used by multiple individuals. Use of a group authenticator alone does not\nuniquely identify individual users. Examples of the group authenticator is the UNIX OS\n\\\"root\\\" user account, the Windows \\\"Administrator\\\" account, the \\\"sa\\\" account, or a \\\"helpdesk\\\"\naccount.\n\nFor example, the UNIX and Windows operating systems offer a 'switch user'\ncapability allowing users to authenticate with their individual credentials and, when\nneeded, 'switch' to the administrator role. This method provides for unique individual\nauthentication prior to using a group authenticator.\n\nUsers (and any processes acting on\nbehalf of users) need to be uniquely identified and authenticated for all accesses other than\nthose accesses explicitly identified and documented by the organization, which outlines\nspecific user actions that can be performed on the operating system without identification\nor authentication.\n\nRequiring individuals to be authenticated with an individual\nauthenticator prior to using a group authenticator allows for traceability of actions, as\nwell as adding an additional level of protection of the actions that can be taken with group\naccount knowledge. \"\n desc 'check', \"Verify the Ubuntu operating system prevents direct logins to the root account with the\nfollowing command:\n\n$ sudo passwd -S root\n\nroot L 04/23/2020 0 99999 7 -1\n\nIf the output does\nnot contain \\\"L\\\" in the second field to indicate the account is locked, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent direct logins to the root account by\nperforming the following operations:\n\n$ sudo passwd -l root \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000109-GPOS-00056 '\n tag gid: 'V-238329 '\n tag rid: 'SV-238329r654162_rule '\n tag stig_id: 'UBTU-20-010408 '\n tag fix_id: 'F-41498r654161_fix '\n tag cci: ['CCI-000770']\n tag nist: ['IA-2 (5)']\n tag 'host', 'container'\n\n describe.one do\n describe shadow.where(user: 'root') do\n its('passwords.uniq.first') { should eq '!*' }\n end\n end\n describe command('passwd -S root').stdout.strip do\n it { should match(/^root\\s+L\\s+.*$/) }\n end\nend\n", "source_location": { "ref": "./controls/SV-238329.rb", "line": 1 @@ -492,9 +505,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n", + "code": "control 'SV-238379' do\n title \"The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical\nuser interface is installed. \"\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. In the graphical environment, risk of unintentional reboot from the\nCtrl-Alt-Delete sequence is reduced because the user will be prompted before any action is\ntaken. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed when using a graphical user interface.\n\nCheck that the \\\"logout\\\"\ntarget is not bound to an action with the following command:\n\n# grep logout\n/etc/dconf/db/local.d/*\n\nlogout=''\n\nIf the \\\"logout\\\" key is bound to an action, is\ncommented out, or is missing, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user\ninterface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file.\n\nAdd\nthe setting to disable the Ctrl-Alt-Delete sequence for the graphical user\ninterface:\n\n[org/gnome/settings-daemon/plugins/media-keys]\nlogout=''\n\nUpdate the\ndconf settings:\n\n# dconf update \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238379 '\n tag rid: 'SV-238379r654312_rule '\n tag stig_id: 'UBTU-20-010459 '\n tag fix_id: 'F-41548r654311_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n if xorg_status == 0\n describe command(\"grep -R logout='' /etc/dconf/db/local.d/\").stdout.strip.split(\"\\n\").entries do\n its('count') { should_not eq 0 }\n end\n else\n impact 0.0\n describe command('which Xorg').exit_status do\n skip('This control is Not Applicable since a GUI not installed.')\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238379.rb", "line": 1 @@ -523,9 +538,11 @@ ], "nist": [ "IA-5 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238223' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nnumeric character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none numeric character be used.\n\nDetermine if the field \\\"dcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"dcredit\\\"\n/etc/security/pwquality.conf\ndcredit=-1\n\nIf the \\\"dcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one numeric character be used.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\"\nfile to contain the \\\"dcredit\\\" parameter:\n\ndcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000071-GPOS-00039 '\n tag gid: 'V-238223 '\n tag rid: 'SV-238223r653844_rule '\n tag stig_id: 'UBTU-20-010052 '\n tag fix_id: 'F-41392r653843_fix '\n tag cci: ['CCI-000194']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238223.rb", "line": 1 @@ -560,9 +577,10 @@ "nist": [ "IA-5 (1) (c)", "IA-5 (1) (e)" - ] + ], + "host": null }, - "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n", + "code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238234.rb", "line": 1 @@ -591,9 +609,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238253' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chfn command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"chfn\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/chfn'\n\n-a always,exit -F\npath=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chfn\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chfn -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k privileged-chfn\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238253 '\n tag rid: 'SV-238253r653934_rule '\n tag stig_id: 'UBTU-20-010137 '\n tag fix_id: 'F-41422r653933_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chfn'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238253.rb", "line": 1 @@ -622,9 +641,10 @@ ], "nist": [ "IA-5 (2) (d)" - ] + ], + "host": null }, - "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238233.rb", "line": 1 @@ -659,9 +679,11 @@ "nist": [ "AC-11 b", "AC-11 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238199' do\n title \"The Ubuntu operating system must retain a user's session lock until that user reestablishes\naccess using established identification and authentication procedures. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined.\n\nRegardless of where the session lock is determined and\nimplemented, once invoked, a session lock of the Ubuntu operating system must remain in place\nuntil the user reauthenticates. No other activity aside from reauthentication must unlock\nthe system.\n\n \"\n desc 'check', \"Verify the Ubuntu operation system has a graphical user interface session lock enabled.\n\n\nNote: If the Ubuntu operating system does not have a graphical user interface installed,\nthis requirement is Not Applicable.\n\nGet the \\\"lock-enabled\\\" setting to verify the\ngraphical user interface session has the lock enabled with the following command:\n\n$ sudo\ngsettings get org.gnome.desktop.screensaver lock-enabled\n\n true\n\nIf \\\"lock-enabled\\\" is\nnot set to \\\"true\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow a user to lock the current graphical user\ninterface session.\n\nNote: If the Ubuntu operating system does not have a graphical user\ninterface installed, this requirement is Not Applicable.\n\nSet the \\\"lock-enabled\\\" setting\nto allow graphical user interface session locks with the following command:\n\n$ sudo\ngsettings set org.gnome.desktop.screensaver lock-enabled true \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000028-GPOS-00009 '\n tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)\n tag gid: 'V-238199 '\n tag rid: 'SV-238199r653772_rule '\n tag stig_id: 'UBTU-20-010004 '\n tag fix_id: 'F-41368r653771_fix '\n tag cci: %w(CCI-000056 CCI-000057)\n tag nist: ['AC-11 b', 'AC-11 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe command('gsettings get org.gnome.desktop.screensaver lock-enabled') do\n its('stdout') { should cmp 'true' }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238199.rb", "line": 1 @@ -695,9 +717,10 @@ ], "nist": [ "AU-9 a" - ] + ], + "host": null }, - "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238247.rb", "line": 1 @@ -726,9 +749,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238350.rb", "line": 1 @@ -757,9 +782,11 @@ ], "nist": [ "SC-3" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n", + "code": "control 'SV-238206' do\n title \"The Ubuntu operating system must ensure only users who need access to security functions are\npart of sudo group. \"\n desc \"An isolation boundary provides access control and protects the integrity of the hardware,\nsoftware, and firmware that perform security functions.\n\nSecurity functions are the\nhardware, software, and/or firmware of the information system responsible for enforcing\nthe system security policy and supporting the isolation of code and data on which the\nprotection is based. Operating systems implement code separation (i.e., separation of\nsecurity functions from nonsecurity functions) in a number of ways, including through the\nprovision of security kernels via processor rings or processor modes. For non-kernel code,\nsecurity function isolation is often achieved through file system protections that serve to\nprotect the code on disk and address space protections that protect executing code.\n\n\nDevelopers and implementers can increase the assurance in security functions by employing\nwell-defined security policy models; structured, disciplined, and rigorous hardware and\nsoftware development techniques; and sound system/security engineering principles.\nImplementation may include isolation of memory space and libraries.\n\nThe Ubuntu operating\nsystem restricts access to security functions through the use of access control mechanisms\nand by implementing least privilege capabilities. \"\n desc 'check', \"Verify the sudo group has only members who should have access to security functions.\n\n$ grep\nsudo /etc/group\n\nsudo:x:27:foo\n\nIf the sudo group contains users not needing access to\nsecurity functions, this is a finding. \"\n desc 'fix', \"Configure the sudo group with only members requiring access to security functions.\n\nTo\nremove a user from the sudo group, run:\n\n$ sudo gpasswd -d <username> sudo \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000134-GPOS-00068 '\n tag gid: 'V-238206 '\n tag rid: 'SV-238206r653793_rule '\n tag stig_id: 'UBTU-20-010012 '\n tag fix_id: 'F-41375r653792_fix '\n tag cci: ['CCI-001084']\n tag nist: ['SC-3']\n tag 'host', 'container'\n\n sudo_accounts = input('sudo_accounts')\n\n if sudo_accounts.count > 0\n sudo_accounts.each do |account|\n describe group('sudo') do\n its('members') { should include account }\n end\n end\n else\n describe.one do\n describe group('sudo') do\n its('members') { should be_nil }\n end\n describe group('sudo') do\n its('members') { should be_empty }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238206.rb", "line": 1 @@ -788,9 +815,10 @@ ], "nist": [ "AU-4" - ] + ], + "host": null }, - "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238305' do\n title \"The Ubuntu operating system must allocate audit record storage capacity to store at least one\nweeks' worth of audit records, when audit records are not immediately sent to a central audit\nrecord storage facility. \"\n desc \"In order to ensure operating systems have a sufficient storage capacity in which to write the\naudit logs, operating systems need to be able to allocate audit record storage capacity.\n\n\nThe task of allocating audit record storage capacity is usually performed during initial\ninstallation of the operating system. \"\n desc 'check', \"Verify the Ubuntu operating system allocates audit record storage capacity to store at least\none week's worth of audit records when audit records are not immediately sent to a central\naudit record storage facility.\n\nDetermine which partition the audit records are being\nwritten to with the following command:\n\n$ sudo grep ^log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records\nare written to (with the example being \\\"/var/log/audit/\\\") with the following command:\n\n$\nsudo df –h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit\nrecords are not written to a partition made specifically for audit records\n(\\\"/var/log/audit\\\" is a separate partition), determine the amount of space being used by\nother files in the partition with the following command:\n\n$ sudo du –sh [audit_partition]\n\n1.8G /var/log/audit\n\nNote: The partition size needed to capture a week's worth of audit\nrecords is based on the activity level of the system and the total storage capacity available.\nIn normal circumstances, 10.0 GB of storage space for audit records will be sufficient.\n\nIf\nthe audit record partition is not allocated for sufficient storage capacity, this is a\nfinding. \"\n desc 'fix', \"Allocate enough storage capacity for at least one week's worth of audit records when audit\nrecords are not immediately sent to a central audit record storage facility.\n\nIf audit\nrecords are stored on a partition made specifically for audit records, use the \\\"parted\\\"\nprogram to resize the partition with sufficient space to contain one week's worth of audit\nrecords.\n\nIf audit records are not stored on a partition made specifically for audit\nrecords, a new partition with sufficient amount of space will need be to be created.\n\nSet the\nauditd server to point to the mount point where the audit records must be located:\n\n$ sudo sed\n-i -E 's@^(log_file\\\\s*=\\\\s*).*@\\\\1 <log mountpoint>/audit.log@'\n/etc/audit/auditd.conf\n\nwhere <log mountpoint> is the aforementioned mount\npoint. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000341-GPOS-00132 '\n tag gid: 'V-238305 '\n tag rid: 'SV-238305r853423_rule '\n tag stig_id: 'UBTU-20-010215 '\n tag fix_id: 'F-41474r654089_fix '\n tag cci: ['CCI-001849']\n tag nist: ['AU-4']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n log_file_dir = File.dirname(log_file)\n available_storage = filesystem(log_file_dir).free_kb\n log_file_size = file(log_file).size\n standard_audit_log_size = input('standard_audit_log_size')\n describe('Current audit log file size is less than the specified standard of ' + standard_audit_log_size.to_s) do\n subject { log_file_size.to_i }\n it { should be <= standard_audit_log_size }\n end\n describe('Available storage for audit log should be more than the defined standard of ' + standard_audit_log_size.to_s) do\n subject { available_storage.to_i }\n it { should be > standard_audit_log_size }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238305.rb", "line": 1 @@ -819,9 +847,11 @@ ], "nist": [ "SC-8" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", + "code": "control 'SV-252704' do\n title 'The Ubuntu operating system must disable all wireless network adapters. '\n desc \"Without protection of communications with wireless peripherals, confidentiality and\nintegrity may be compromised because unprotected communications can be intercepted and\neither read, altered, or used to compromise the operating system.\n\nThis requirement\napplies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays,\netc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR\nKeyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique\nchallenge by creating an open, unsecured port on a computer. Wireless peripherals must meet\nDoD requirements for wireless data transmission and be approved for use by the AO. Even though\nsome wireless peripherals, such as mice and pointing devices, do not ordinarily carry\ninformation that need to be protected, modification of communications with these wireless\nperipherals may be used to compromise the operating system. Communication paths outside the\nphysical protection of a controlled boundary are exposed to the possibility of interception\nand modification.\n\nProtecting the confidentiality and integrity of communications with\nwireless peripherals can be accomplished by physical means (e.g., employing physical\nbarriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic\ntechniques). If physical means of protection are employed, then logical means\n(cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only\npassing telemetry data, encryption of the data may not be required. \"\n desc 'check', \"Note: This requirement is Not Applicable for systems that do not have physical wireless\nnetwork radios.\n\nVerify that there are no wireless interfaces configured on the system with\nthe following command:\n\n$ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs\nbasename\n\nIf a wireless interface is configured and has not been documented and approved by\nthe ISSO, this is a finding. \"\n desc 'fix', \"List all the wireless interfaces with the following command:\n\n$ ls -L -d\n/sys/class/net/*/wireless | xargs dirname | xargs basename\n\nFor each interface,\nconfigure the system to disable wireless network interfaces with the following command:\n\n$\nsudo ifdown <interface name>\n\nFor each interface listed, find their respective\nmodule with the following command:\n\n$ basename $(readlink -f\n/sys/class/net/<interface name>/device/driver)\n\nwhere <interface name>\nmust be substituted by the actual interface name.\n\nCreate a file in the \\\"/etc/modprobe.d\\\"\ndirectory and for each module, add the following line:\n\ninstall <module name>\n/bin/true\n\nFor each module from the system, execute the following command to remove it:\n\n$\nsudo modprobe -r <module name> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000481-GPOS-00481 '\n tag gid: 'V-252704 '\n tag rid: 'SV-252704r854182_rule '\n tag stig_id: 'UBTU-20-010455 '\n tag fix_id: 'F-56110r819056_fix '\n tag cci: ['CCI-002418']\n tag nist: ['SC-8']\n tag 'host', 'container'\n\n describe command('ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename') do\n its('stdout.lines') { should be_in input('approved_wireless_interfaces') }\n end\nend\n", "source_location": { "ref": "./controls/SV-252704.rb", "line": 1 @@ -883,9 +913,11 @@ ], "nist": [ "AU-9" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238344' do\n title \"The Ubuntu operating system must have directories that contain system commands set to a mode\nof 0755 or less permissive. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories have mode 0755 or less permissive:\n\n/bin\n/sbin\n\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nCheck that the system command\ndirectories have mode 0755 or less permissive with the following command:\n\n$ find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c \\\"%n %a\\\"\n'{}' \\\\;\n\nIf any directories are found to be group-writable or world-writable, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238344 '\n tag rid: 'SV-238344r654207_rule '\n tag stig_id: 'UBTU-20-010423 '\n tag fix_id: 'F-41513r654206_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or\n /usr/local/sbin, that are less permissive than 0755\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238344.rb", "line": 1 @@ -914,9 +946,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238348' do\n title 'The Ubuntu operating system library directories must have mode 0755 or less permissive. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib have\nmode 0755 or less permissive with the following command:\n\n$ sudo find /lib /lib64 /usr/lib\n-perm /022 -type d -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any of the aforementioned directories are\nfound to be group-writable or world-writable, this is a finding. \"\n desc 'fix', \"Configure the shared library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}'\n\\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238348 '\n tag rid: 'SV-238348r654219_rule '\n tag stig_id: 'UBTU-20-010427 '\n tag fix_id: 'F-41517r654218_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /lib32 lib64 /usr/lib /usr/lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 -perm /022 -type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are less permissive than 0755' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238348.rb", "line": 1 @@ -945,9 +979,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238338.rb", "line": 1 @@ -981,9 +1017,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238285' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\ntallylog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep tallylog\n\n-w /var/log/tallylog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"tallylog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/tallylog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238285 '\n tag rid: 'SV-238285r654030_rule '\n tag stig_id: 'UBTU-20-010169 '\n tag fix_id: 'F-41454r654029_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/tallylog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238285.rb", "line": 1 @@ -1012,9 +1049,11 @@ ], "nist": [ "SI-6 d" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "code": "control 'SV-238372' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the operation of\nany security functions are discovered. \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the Ubuntu operating system. Changes to\nUbuntu operating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n\nDetecting such changes and providing an automated response can\nhelp avoid unintended, negative consequences that could ultimately affect the security\nstate of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be\nnotified via email and/or monitoring system trap when there is an unauthorized modification\nof a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ sudo grep SILENTREPORTS /etc/default/aide\n\n\nSILENTREPORTS=no\n\nIf SILENTREPORTS is uncommented and set to \\\"yes\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000447-GPOS-00201 '\n tag gid: 'V-238372 '\n tag rid: 'SV-238372r853449_rule '\n tag stig_id: 'UBTU-20-010451 '\n tag fix_id: 'F-41541r654290_fix '\n tag cci: ['CCI-002702']\n tag nist: ['SI-6 d']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238372.rb", "line": 1 @@ -1043,9 +1082,11 @@ ], "nist": [ "SI-6 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238371' do\n title \"The Ubuntu operating system must use a file integrity tool to verify correct operation of all\nsecurity functions. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nThis requirement\napplies to the Ubuntu operating system performing security function verification/testing\nand/or systems and environments that require this functionality. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the\ncorrect operation of all security functions.\n\nCheck that the AIDE package is installed with\nthe following command:\n\n$ sudo dpkg -l | grep aide\nii aide 0.16.1-1build2 amd64 Advanced\nIntrusion Detection Environment - static binary\n\nIf AIDE is not installed, ask the System\nAdministrator how file integrity checks are performed on the system.\n\nIf no application is\ninstalled to perform integrity checks, this is a finding. \"\n desc 'fix', \"Install the AIDE package by running the following command:\n\n$ sudo apt-get install aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000445-GPOS-00199 '\n tag gid: 'V-238371 '\n tag rid: 'SV-238371r853448_rule '\n tag stig_id: 'UBTU-20-010450 '\n tag fix_id: 'F-41540r654287_fix '\n tag cci: ['CCI-002696']\n tag nist: ['SI-6 a']\n tag 'host', 'container'\n\n describe package('aide') do\n it { should be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238371.rb", "line": 1 @@ -1074,9 +1115,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238282' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the apparmor_parser command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"apparmor_parser\\\" command.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep apparmor_parser\n\n-a\nalways,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"apparmor_parser\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/apparmor_parser\n-F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238282 '\n tag rid: 'SV-238282r654021_rule '\n tag stig_id: 'UBTU-20-010166 '\n tag fix_id: 'F-41451r654020_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/apparmor_parser'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238282.rb", "line": 1 @@ -1105,9 +1147,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238377' do\n title 'The Ubuntu operating system must have system commands owned by root or a system account. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are owned by root, or a\nrequired system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nUse the following command for the check:\n\n$ sudo find /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c \\\"%n %U\\\"\n'{}' \\\\;\n\nIf any system commands are returned and are not owned by a required system account,\nthis is a finding. \"\n desc 'fix', \"Configure the system commands and their respective parent directories to be protected from\nunauthorized access. Run the following command, replacing \\\"[FILE]\\\" with any system command\nfile not owned by \\\"root\\\" or a required system account:\n\n$ sudo chown root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238377 '\n tag rid: 'SV-238377r832968_rule '\n tag stig_id: 'UBTU-20-010457 '\n tag fix_id: 'F-41546r832967_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are NOT owned by root' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238377.rb", "line": 1 @@ -1136,9 +1180,11 @@ ], "nist": [ "AC-17 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238354' do\n title \"The Ubuntu operating system must have an application firewall installed in order to control\nremote access methods. \"\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated control capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nUbuntu operating system functionality\n(e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized\nactivity. Automated control of remote access sessions allows organizations to ensure\nongoing compliance with remote access policies by enforcing connection rules of remote\naccess applications on a variety of information system components (e.g., servers,\nworkstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Uncomplicated Firewall is installed with the following command:\n\n$ dpkg -l |\ngrep ufw\n\nii ufw 0.36-6\n\nIf the \\\"ufw\\\" package is not installed, ask the System Administrator\nif another application firewall is installed.\n\nIf no application firewall is installed,\nthis is a finding. \"\n desc 'fix', \"Install the Uncomplicated Firewall by using the following command:\n\n$ sudo apt-get install\nufw \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000297-GPOS-00115 '\n tag gid: 'V-238354 '\n tag rid: 'SV-238354r853429_rule '\n tag stig_id: 'UBTU-20-010433 '\n tag fix_id: 'F-41523r654236_fix '\n tag cci: ['CCI-002314']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n describe package('ufw') do\n it { should be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238354.rb", "line": 1 @@ -1167,9 +1213,10 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null }, - "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", + "code": "control 'SV-238237' do\n title \"The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts\nfollowing a failed logon attempt. \"\n desc \"Limiting the number of logon attempts over a certain time interval reduces the chances that an\nunauthorized user may gain access to an account. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon\nprompts following a failed logon attempt with the following command:\n\n$ grep pam_faildelay\n/etc/pam.d/common-auth\n\nauth required pam_faildelay.so delay=4000000\n\nIf the line is\nnot present or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon\nprompts following a failed logon attempt.\n\nEdit the file \\\"/etc/pam.d/common-auth\\\" and set\nthe parameter \\\"pam_faildelay\\\" to a value of 4000000 or greater:\n\nauth required\npam_faildelay.so delay=4000000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00226 '\n tag gid: 'V-238237 '\n tag rid: 'SV-238237r653886_rule '\n tag stig_id: 'UBTU-20-010075 '\n tag fix_id: 'F-41406r653885_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_faildelay /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=([4-9][\\d]{6,}|[1-9][\\d]{7,}).*$/) }\n end\n\n file('/etc/pam.d/common-auth').content.to_s.scan(/^\\s*auth\\s+required\\s+pam_faildelay.so\\s+.*delay=(\\d+).*$/).flatten.each do |entry|\n describe entry do\n it { should cmp >= 4_000_000 }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238237.rb", "line": 1 @@ -1198,9 +1245,11 @@ ], "nist": [ "SC-10" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n", + "code": "control 'SV-238213' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic at the end of the session or after 10 minutes of inactivity. \"\n desc \"Terminating an idle session within a short time period reduces the window of opportunity for\nunauthorized personnel to take control of a management session enabled on the console or\nconsole port that has been left unattended. In addition, quickly terminating an idle session\nwill also free up resources committed by the managed network element.\n\nTerminating network\nconnections associated with communications sessions includes, for example,\nde-allocating associated TCP/IP address/port pairs at the operating system level, and\nde-allocating networking assignments at the application level if multiple application\nsessions are using a single operating system-level network connection. This does not mean\nthat the operating system terminates all sessions or network access; it only ends the\ninactive session and releases the resources associated with that session. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic are automatically\nterminated at the end of the session or after 10 minutes of inactivity.\n\nVerify the\n\\\"ClientAliveInterval\\\" variable is set to a value of \\\"600\\\" or less by performing the following\ncommand:\n\n$ sudo grep -ir clientalive /etc/ssh/sshd_config*\n\nClientAliveInterval\n600\n\nIf \\\"ClientAliveInterval\\\" does not exist, is not set to a value of \\\"600\\\" or less in\n\\\"/etc/ssh/sshd_config\\\", or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate all network connections\nassociated with SSH traffic at the end of a session or after a 10-minute period of inactivity.\n\n\nModify or append the following line in the \\\"/etc/ssh/sshd_config\\\" file replacing\n\\\"[Interval]\\\" with a value of \\\"600\\\" or less:\n\nClientAliveInterval 600\n\nRestart the SSH\ndaemon for the changes to take effect:\n\n$ sudo systemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000163-GPOS-00072 '\n tag gid: 'V-238213 '\n tag rid: 'SV-238213r858523_rule '\n tag stig_id: 'UBTU-20-010037 '\n tag fix_id: 'F-41382r653813_fix '\n tag cci: ['CCI-001133']\n tag nist: ['SC-10']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveInterval') { should cmp 600 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238213.rb", "line": 1 @@ -1281,9 +1330,10 @@ "AU-7 a", "AU-7 b", "AU-12 (3)" - ] + ], + "host": null }, - "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", + "code": "control 'SV-238298' do\n title \"The Ubuntu operating system must produce audit records and reports containing information\nto establish when, where, what type, the source, and the outcome for all DoD-defined\nauditable events and actions in near real time. \"\n desc \"Without establishing the when, where, type, source, and outcome of events that occurred, it\nwould be difficult to establish, correlate, and investigate the events leading up to an\noutage or attack.\n\nWithout the capability to generate audit records, it would be difficult\nto establish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy this\nrequirement includes, for example, time stamps, source and destination addresses,\nuser/process identifiers, event descriptions, success/fail indications, filenames\ninvolved, and access control or flow control rules invoked.\n\nReconstruction of harmful\nevents or forensic analysis is not possible if audit records do not contain enough\ninformation.\n\nSuccessful incident response and auditing relies on timely, accurate\nsystem information and analysis in order to allow the organization to identify and respond to\npotential incidents in a proficient manner. If the operating system does not provide the\nability to centrally review the operating system logs, forensic analysis is negatively\nimpacted.\n\nAssociating event types with detected events in the Ubuntu operating system\naudit logs provides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured operating system.\n\n \"\n desc 'check', \"Verify the audit service is configured to produce audit records with the following command:\n\n\n$ dpkg -l | grep auditd\n\nIf the \\\"auditd\\\" package is not installed, this is a finding.\n\n\nVerify the audit service is enabled with the following command:\n\n$ systemctl is-enabled\nauditd.service\n\nIf the command above returns \\\"disabled\\\", this is a finding.\n\nVerify the\naudit service is properly running and active on the system with the following command:\n\n$\nsystemctl is-active auditd.service\nactive\n\nIf the command above returns \\\"inactive\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the audit service to produce audit records containing the information needed to\nestablish when (date and time) an event occurred.\n\nInstall the audit service (if the audit\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nauditd\n\nEnable the audit service with the following command:\n\n$ sudo systemctl enable\nauditd.service\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000122-GPOS-00063 '\n tag satisfies: %w(SRG-OS-000122-GPOS-00063 SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000062-GPOS-00031 SRG-OS-000337-GPOS-00129 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000475-GPOS-00220)\n tag gid: 'V-238298 '\n tag rid: 'SV-238298r853421_rule '\n tag stig_id: 'UBTU-20-010182 '\n tag fix_id: 'F-41467r654068_fix '\n tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000169 CCI-000172 CCI-001875 CCI-001876 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001914)\n tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-6 (4)', 'AU-7 (1)', 'AU-12 a', 'AU-12 c', 'AU-7 a', 'AU-7 b', 'AU-12 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('auditd') do\n it { should be_installed }\n end\n describe service('auditd') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238298.rb", "line": 1 @@ -1318,9 +1368,11 @@ "nist": [ "IA-2", "IA-8" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", + "code": "control 'SV-238205' do\n title 'The Ubuntu operating system must uniquely identify interactive users. '\n desc \"To assure accountability and prevent unauthenticated access, organizational users must be\nidentified and authenticated to prevent potential misuse and compromise of the system.\n\n\nOrganizational users include organizational employees or individuals the organization\ndeems to have equivalent status of employees (e.g., contractors). Organizational users\n(and processes acting on behalf of users) must be uniquely identified and authenticated to\nall accesses, except for the following:\n\n1) Accesses explicitly identified and documented\nby the organization. Organizations document specific user actions that can be performed on\nthe information system without identification or authentication; and\n\n2) Accesses that\noccur through authorized use of group authenticators without individual authentication.\nOrganizations may require unique identification of individuals in group accounts (e.g.,\nshared privilege accounts) or for detailed accountability of individual activity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive\nusers with the following command:\n\n$ awk -F \\\":\\\" 'list[$3]++{print $1, $3}' /etc/passwd\n\nIf\noutput is produced and the accounts listed are interactive user accounts, this is a finding. \"\n desc 'fix', \"Edit the file \\\"/etc/passwd\\\" and provide each interactive user account that has a duplicate\nUID with a unique UID. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000104-GPOS-00051 '\n tag satisfies: %w(SRG-OS-000104-GPOS-00051 SRG-OS-000121-GPOS-00062)\n tag gid: 'V-238205 '\n tag rid: 'SV-238205r653790_rule '\n tag stig_id: 'UBTU-20-010010 '\n tag fix_id: 'F-41374r653789_fix '\n tag cci: %w(CCI-000764 CCI-000804)\n tag nist: %w(IA-2 IA-8)\n tag 'host', 'container'\n\n user_list = command(\"awk -F \\\":\\\" 'list[$3]++{print $1}' /etc/passwd\").stdout.split(\"\\n\")\n findings = Set[]\n\n user_list.each do |user_name|\n findings = findings << user_name\n end\n describe 'Duplicate User IDs (UIDs) must not exist for interactive users' do\n subject { findings.to_a }\n it { should be_empty }\n end\nend\n", "source_location": { "ref": "./controls/SV-238205.rb", "line": 1 @@ -1349,9 +1401,10 @@ ], "nist": [ "AU-9 (3)" - ] + ], + "host": null }, - "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238303' do\n title \"The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of\naudit tools. \"\n desc \"Protecting the integrity of the tools used for auditing purposes is a critical step toward\nensuring the integrity of audit information. Audit information includes all information\n(e.g., audit records, audit settings, and audit reports) needed to successfully audit\ninformation system activity.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject\ncode into the existing tools with the purpose of providing the capability to hide or erase\nsystem activity from the audit logs.\n\nTo address this risk, audit tools must be\ncryptographically signed in order to provide the capability to identify when the audit tools\nhave been modified, manipulated, or replaced. An example is a checksum hash of the file or\nfiles. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use\ncryptographic mechanisms to protect the integrity of audit tools.\n\nCheck the selection\nlines that AIDE is configured to add/check with the following command:\n\n$ egrep\n'(\\\\/sbin\\\\/(audit|au))' /etc/aide/aide.conf\n\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf any of the seven audit tools do not have appropriate\nselection lines, this is a finding. \"\n desc 'fix', \"Add or update the following selection lines for \\\"/etc/aide/aide.conf\\\" to protect the\nintegrity of the audit tools:\n\n# Audit Tools\n/sbin/auditctl\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/aureport\np+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n/sbin/augenrules\np+i+n+u+g+s+b+acl+xattrs+sha512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000278-GPOS-00108 '\n tag gid: 'V-238303 '\n tag rid: 'SV-238303r654084_rule '\n tag stig_id: 'UBTU-20-010205 '\n tag fix_id: 'F-41472r654083_fix '\n tag cci: ['CCI-001496']\n tag nist: ['AU-9 (3)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n aide_conf = aide_conf input('aide_conf_path')\n\n aide_conf_exists = aide_conf.exist?\n\n if aide_conf_exists\n describe aide_conf.where { selection_line == '/sbin/auditctl' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/auditd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/ausearch' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/aureport' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/autrace' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/audispd' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n\n describe aide_conf.where { selection_line == '/sbin/augenrules' } do\n its('rules') { should include %w(p i n u g s b acl xattrs sha512) }\n end\n else\n describe 'aide.conf file exists' do\n subject { aide_conf_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238303.rb", "line": 1 @@ -1380,9 +1433,10 @@ ], "nist": [ "AU-5 b" - ] + ], + "host": null }, - "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n", + "code": "control 'SV-238244' do\n title \"The Ubuntu operating system must shut down by default upon audit failure (unless\navailability is an overriding concern). \"\n desc \"It is critical that when the operating system is at risk of failing to process audit logs as\nrequired, it takes action to mitigate the failure. Audit processing failures include:\nsoftware/hardware errors; failures in the audit capturing mechanisms; and audit storage\ncapacity being reached or exceeded. Responses to audit failure depend upon the nature of the\nfailure mode.\n\nWhen availability is an overriding concern, other approved actions in\nresponse to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit\nrecord storage capacity, the operating system must continue generating audit records if\npossible (automatically restarting the audit service if necessary), overwriting the\noldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a\ncentralized collection server and communication with this server is lost or the server\nfails, the operating system must queue audit records locally until communication is\nrestored or until the audit records are retrieved manually. Upon restoration of the\nconnection to the centralized collection server, action should be taken to synchronize the\nlocal audit data with the collection server. \"\n desc 'check', \"Verify the Ubuntu operating system takes the appropriate action when the audit storage\nvolume is full with the following command:\n\n$ sudo grep '^disk_full_action'\n/etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the\n\\\"disk_full_action\\\" option is not \\\"SYSLOG\\\", \\\"SINGLE\\\", or \\\"HALT\\\", or the line is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to shut down by default upon audit failure (unless\navailability is an overriding concern).\n\nAdd or update the following line (depending on\nconfiguration, \\\"disk_full_action\\\" can be set to \\\"SYSLOG\\\", \\\"HALT\\\" or \\\"SINGLE\\\") in\n\\\"/etc/audit/auditd.conf\\\" file:\n\ndisk_full_action = HALT\n\nRestart the \\\"auditd\\\" service\nso the changes take effect:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000047-GPOS-00023 '\n tag gid: 'V-238244 '\n tag rid: 'SV-238244r653907_rule '\n tag stig_id: 'UBTU-20-010118 '\n tag fix_id: 'F-41413r653906_fix '\n tag cci: ['CCI-000140']\n tag nist: ['AU-5 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe auditd_conf do\n its('disk_full_action') { should_not be_empty }\n its('disk_full_action') { should cmp(/(?:SYSLOG|SINGLE|HALT)/i) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238244.rb", "line": 1 @@ -1411,9 +1465,10 @@ ], "nist": [ "AU-12 b" - ] + ], + "host": null }, - "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238250' do\n title \"The Ubuntu operating system must permit only authorized accounts to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root account by using the following command:\n\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 .\n\ndrwxr-xr-x 130 root root 12288 Dec 19 13:42 ..\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 .\n\ndrwxr-x--- 3 root root\n4096 Nov 25 11:02 ..\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\" and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root user by using the following command:\n\n$\nsudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238250 '\n tag rid: 'SV-238250r653925_rule '\n tag stig_id: 'UBTU-20-010134 '\n tag fix_id: 'F-41419r653924_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238250.rb", "line": 1 @@ -1442,9 +1497,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238289' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the unix_update command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"unix_update\\\" command.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep -w unix_update\n\n-a always,exit -F\npath=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"unix_update\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/sbin/unix_update -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238289 '\n tag rid: 'SV-238289r654042_rule '\n tag stig_id: 'UBTU-20-010173 '\n tag fix_id: 'F-41458r654041_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/unix_update'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238289.rb", "line": 1 @@ -1473,9 +1529,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238292.rb", "line": 1 @@ -1504,9 +1561,11 @@ ], "nist": [ "SI-2 (2)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n", + "code": "control 'SV-238336' do\n title \"The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention\n(ENSLTP). \"\n desc \"Without the use of automated mechanisms to scan for security flaws on a continuous and/or\nperiodic basis, the operating system or other system components may remain vulnerable to the\nexploits presented by undetected software flaws.\n\nTo support this requirement, the\noperating system may have an integrated solution incorporating continuous scanning using\nHBSS and periodic scanning using other tools, as specified in the requirement. \"\n desc 'check', \"The Ubuntu operating system is not compliant with this requirement; hence, it is a finding.\nHowever, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and\nrunning.\n\nCheck that the \\\"mcafeetp\\\" package has been installed:\n\n# dpkg -l | grep mcafeetp\n\n\nIf the \\\"mcafeetp\\\" package is not installed, this finding will remain as a CAT II.\n\nCheck that\nthe daemon is running:\n\n# /opt/McAfee/ens/tp/init/mfetpd-control.sh status\n\nIf the\ndaemon is not running, this finding will remain as a CAT II. \"\n desc 'fix', \"The Ubuntu operating system is not compliant with this requirement; however, the severity\nlevel can be mitigated to a CAT III if the ENSLTP module is installed and running.\n\nConfigure\nthe Ubuntu operating system to use ENSLTP.\n\nInstall the \\\"mcafeetp\\\" package via the ePO\nserver. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000191-GPOS-00080 '\n tag gid: 'V-238336 '\n tag rid: 'SV-238336r858538_rule '\n tag stig_id: 'UBTU-20-010415 '\n tag fix_id: 'F-41505r858537_fix '\n tag cci: ['CCI-001233']\n tag nist: ['SI-2 (2)']\n tag 'host', 'container'\n\n describe package('mfetp') do\n it { should be_installed }\n end\n\n describe command('/opt/McAfee/ens/tp/init/mfetpd-control.sh status') do\n its('exit_status') { should cmp 0 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238336.rb", "line": 1 @@ -1535,9 +1594,11 @@ ], "nist": [ "SC-5 (2)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", + "code": "control 'SV-238333' do\n title 'The Ubuntu operating system must be configured to use TCP syncookies. '\n desc \"DoS is a condition when a resource is not available for legitimate users. When this occurs, the\norganization either cannot accomplish its mission or must operate at degraded capacity.\n\n\nManaging excess capacity ensures that sufficient capacity is available to counter\nflooding attacks. Employing increased capacity and service redundancy may reduce the\nsusceptibility to some DoS attacks. Managing excess capacity may include, for example,\nestablishing selected usage priorities, quotas, or partitioning. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use TCP syncookies.\n\nCheck the value of\nTCP syncookies with the following command:\n\n$ sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the value is not \\\"1\\\", this is a finding.\n\nCheck the saved\nvalue of TCP syncookies with the following command:\n\n$ sudo grep -i\nnet.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#'\n\nIf no output is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use TCP syncookies by running the following\ncommand:\n\n$ sudo sysctl -w net.ipv4.tcp_syncookies=1\n\nIf \\\"1\\\" is not the system's default\nvalue, add or update the following line in \\\"/etc/sysctl.conf\\\":\n\nnet.ipv4.tcp_syncookies\n= 1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000142-GPOS-00071 '\n tag gid: 'V-238333 '\n tag rid: 'SV-238333r654174_rule '\n tag stig_id: 'UBTU-20-010412 '\n tag fix_id: 'F-41502r654173_fix '\n tag cci: ['CCI-001095']\n tag nist: ['SC-5 (2)']\n tag 'host', 'container'\n\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its('value') { should cmp 1 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238333.rb", "line": 1 @@ -1566,9 +1627,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238320.rb", "line": 1 @@ -1597,9 +1659,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238279' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chsh command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chsh\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep chsh\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches\nthe example or the line is commented out, this is a finding.\n\nNotes: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chsh\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chsh -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238279 '\n tag rid: 'SV-238279r654012_rule '\n tag stig_id: 'UBTU-20-010163 '\n tag fix_id: 'F-41448r654011_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chsh'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238279.rb", "line": 1 @@ -1642,9 +1705,10 @@ "nist": [ "AU-12 c", "AC-2 (4)" - ] + ], + "host": null }, - "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238241' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/gshadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngshadow\n\n-w /etc/gshadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/gshadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/gshadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238241 '\n tag rid: 'SV-238241r853419_rule '\n tag stig_id: 'UBTU-20-010103 '\n tag fix_id: 'F-41410r653897_fix '\n tag cci: %w(CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AU-12 c', 'AC-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/gshadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238241.rb", "line": 1 @@ -1677,9 +1741,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n", + "code": "control 'SV-238271' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to\nuse the \\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\"\nsystem calls.\n\nCheck the configured audit rules with the following commands:\n\n$ sudo\nauditctl -l | grep 'open\\\\|truncate\\\\|creat'\n\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b32 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=-1 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=-1 -k perm_access\n\nIf the command does not return audit rules for the\n\\\"creat\\\", \\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" syscalls or\nthe lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the\n32-bit specific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any unsuccessful use of the\\\"creat\\\",\n\\\"open\\\", \\\"openat\\\", \\\"open_by_handle_at\\\", \\\"truncate\\\", and \\\"ftruncate\\\" system calls.\n\nAdd\nor update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F\nexit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F\narch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES\n-F auid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n-a always,exit -F arch=b64 -S\ncreat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F\nauid>=1000 -F auid!=4294967295 -k perm_access\n\nNotes: For 32-bit architectures, only\nthe 32-bit specific entries are required.\n\nTo reload the rules file, issue the following\ncommand:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000474-GPOS-00219)\n tag gid: 'V-238271 '\n tag rid: 'SV-238271r808483_rule '\n tag stig_id: 'UBTU-20-010155 '\n tag fix_id: 'F-41440r808482_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EPERM' }\n end\n describe auditd.syscall('open').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n its('exit.uniq') { should include '-EACCES' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238271.rb", "line": 1 @@ -1708,9 +1773,11 @@ ], "nist": [ "MA-4 e" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n", + "code": "control 'SV-238212' do\n title \"The Ubuntu operating system must immediately terminate all network connections associated\nwith SSH traffic after a period of inactivity. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific Ubuntu\noperating system functionality where the system owner, data owner, or organization\nrequires additional assurance. \"\n desc 'check', \"Verify that all network connections associated with SSH traffic automatically terminate\nafter a period of inactivity.\n\nVerify the \\\"ClientAliveCountMax\\\" variable is set in the\n\\\"/etc/ssh/sshd_config\\\" file by performing the following command:\n\n$ sudo grep -ir\nclientalivecountmax /etc/ssh/sshd_config*\n\nClientAliveCountMax 1\n\nIf\n\\\"ClientAliveCountMax\\\" is not set, is not set to \\\"1\\\", or is commented out, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to automatically terminate inactive SSH sessions\nafter a period of inactivity.\n\nModify or append the following line in the\n\\\"/etc/ssh/sshd_config\\\" file, replacing \\\"[Count]\\\" with a value of 1:\n\n\nClientAliveCountMax 1\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000126-GPOS-00066 '\n tag gid: 'V-238212 '\n tag rid: 'SV-238212r858521_rule '\n tag stig_id: 'UBTU-20-010036 '\n tag fix_id: 'F-41381r653810_fix '\n tag cci: ['CCI-000879']\n tag nist: ['MA-4 e']\n tag 'host', 'container'\n\n describe sshd_config do\n its('ClientAliveCountMax') { should cmp 1 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238212.rb", "line": 1 @@ -1739,9 +1806,11 @@ ], "nist": [ "IA-5 (1) (c)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", + "code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n tag 'host', 'container'\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238326.rb", "line": 1 @@ -1770,9 +1839,11 @@ ], "nist": [ "AC-8 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n", + "code": "control 'SV-238198' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting local access to the system via a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the operating system via a graphical user logon.\n\nNote: If\nthe system does not have a graphical user interface installed, this requirement is Not\nApplicable.\n\nVerify the operating system displays the exact approved Standard Mandatory\nDoD Notice and Consent Banner text with the command:\n\n$ grep ^banner-message-text\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-text=\\\"You are accessing a U.S.\nGovernment \\\\(USG\\\\) Information System \\\\(IS\\\\) that is provided for USG-authorized use\nonly.\\\\s+By using this IS \\\\(which includes any device attached to this IS\\\\), you consent to the\nfollowing conditions:\\\\s+-The USG routinely intercepts and monitors communications on\nthis IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct \\\\(PM\\\\), law enforcement \\\\(LE\\\\), and\ncounterintelligence \\\\(CI\\\\) investigations.\\\\s+-At any time, the USG may inspect and seize\ndata stored on this IS.\\\\s+-Communications using, or data stored on, this IS are not private,\nare subject to routine monitoring, interception, and search, and may be disclosed or used for\nany USG-authorized purpose.\\\\s+-This IS includes security measures \\\\(e.g.,\nauthentication and access controls\\\\) to protect USG interests--not for your personal\nbenefit or privacy.\\\\s+-Notwithstanding the above, using this IS does not constitute\nconsent to PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nIf the\nbanner-message-text is missing, commented out, or does not match the Standard Mandatory DoD\nNotice and Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nSet the \\\"banner-message-text\\\" line\nto contain the appropriate banner message text as shown below:\n\nbanner-message-text='You\nare accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\\\\n\\\\nBy using this IS (which includes any device attached to this\nIS), you consent to the following conditions:\\\\n\\\\n-The USG routinely intercepts and\nmonitors communications on this IS for purposes including, but not limited to, penetration\ntesting, COMSEC monitoring, network operations and defense, personnel misconduct (PM),\nlaw enforcement (LE), and counterintelligence (CI) investigations.\\\\n\\\\n-At any time, the\nUSG may inspect and seize data stored on this IS.\\\\n\\\\n-Communications using, or data stored\non, this IS are not private, are subject to routine monitoring, interception, and search, and\nmay be disclosed or used for any USG-authorized purpose.\\\\n\\\\n-This IS includes security\nmeasures (e.g., authentication and access controls) to protect USG interests--not for your\npersonal benefit or privacy.\\\\n\\\\n-Notwithstanding the above, using this IS does not\nconstitute consent to PM, LE or CI investigative searching or monitoring of the content of\nprivileged communications, or work product, related to personal representation or\nservices by attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User Agreement for\ndetails.'\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf update\n$ sudo\nsystemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238198 '\n tag rid: 'SV-238198r653769_rule '\n tag stig_id: 'UBTU-20-010003 '\n tag fix_id: 'F-41367r653768_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n banner_text = input('banner_text')\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n gdm3_defaults_file = input('gdm3_config_file')\n\n if package('gdm3').installed?\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n subject { file(gdm3_defaults_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n else\n impact 0.0\n describe 'Package gdm3 not installed' do\n skip 'Package gdm3 not installed, this control Not Applicable'\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238198.rb", "line": 1 @@ -1801,9 +1872,11 @@ ], "nist": [ "AU-4 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238321' do\n title \"The Ubuntu operating system must have a crontab script running weekly to offload audit events\nof standalone systems. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOffloading is a common process in information systems with limited audit\nstorage capacity. \"\n desc 'check', \"Note: If this is an interconnected system, this is Not Applicable.\n\nVerify there is a script\nthat offloads audit data and that script runs weekly.\n\nCheck if there is a script in the\n\\\"/etc/cron.weekly\\\" directory that offloads audit data:\n\n# sudo ls /etc/cron.weekly\n\n\naudit-offload\n\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\n\nIf the script file does not exist or does not offload audit logs, this is a\nfinding. \"\n desc 'fix', \"Create a script that offloads audit logs to external media and runs weekly.\n\nThe script must\nbe located in the \\\"/etc/cron.weekly\\\" directory. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000479-GPOS-00224 '\n tag gid: 'V-238321 '\n tag rid: 'SV-238321r853428_rule '\n tag stig_id: 'UBTU-20-010300 '\n tag fix_id: 'F-41490r654137_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host', 'container'\n\n cron_file = input('auditoffload_config_file')\n cron_file_exists = file(cron_file).exist?\n\n if cron_file_exists\n describe file(cron_file) do\n its('content') { should_not be_empty }\n end\n else\n describe cron_file + ' exists' do\n subject { cron_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238321.rb", "line": 1 @@ -1832,9 +1905,11 @@ ], "nist": [ "SC-24" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238353' do\n title 'The Ubuntu operating system must be configured to preserve log records from failure events. '\n desc \"Failure to a known state can address safety or security in accordance with the\nmission/business needs of the organization. Failure to a known secure state helps prevent a\nloss of confidentiality, integrity, or availability in the event of a failure of the\ninformation system or a component of the system.\n\nPreserving operating system state\ninformation helps to facilitate operating system restart and return to the operational mode\nof the organization with least disruption to mission/business processes. \"\n desc 'check', \"Verify the log service is configured to collect system failure events.\n\nCheck that the log\nservice is installed properly with the following command:\n\n$ dpkg -l | grep rsyslog\n\nii\nrsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon\n\nIf the \\\"rsyslog\\\"\npackage is not installed, this is a finding.\n\nCheck that the log service is enabled with the\nfollowing command:\n\n$ systemctl is-enabled rsyslog\n\nenabled\n\nIf the command above\nreturns \\\"disabled\\\", this is a finding.\n\nCheck that the log service is properly running and\nactive on the system with the following command:\n\n$ systemctl is-active rsyslog\n\nactive\n\n\nIf the command above returns \\\"inactive\\\", this is a finding. \"\n desc 'fix', \"Configure the log service to collect failure events.\n\nInstall the log service (if the log\nservice is not already installed) with the following command:\n\n$ sudo apt-get install\nrsyslog\n\nEnable the log service with the following command:\n\n$ sudo systemctl enable --now\nrsyslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000269-GPOS-00103 '\n tag gid: 'V-238353 '\n tag rid: 'SV-238353r654234_rule '\n tag stig_id: 'UBTU-20-010432 '\n tag fix_id: 'F-41522r654233_fix '\n tag cci: ['CCI-001665']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n describe service('rsyslog') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { "ref": "./controls/SV-238353.rb", "line": 1 @@ -1863,9 +1938,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238351.rb", "line": 1 @@ -1894,9 +1971,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238283' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the setfacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setfacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep setfacl\n\n-a always,exit -F\npath=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setfacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/setfacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238283 '\n tag rid: 'SV-238283r654024_rule '\n tag stig_id: 'UBTU-20-010167 '\n tag fix_id: 'F-41452r654023_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/setfacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238283.rb", "line": 1 @@ -1925,9 +2003,10 @@ ], "nist": [ "IA-2 (11)" - ] + ], + "host": null }, - "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n", + "code": "control 'SV-238230' do\n title \"The Ubuntu operating system must implement multifactor authentication for remote access to\nprivileged accounts in such a way that one of the factors is provided by a device separate from\nthe system gaining access. \"\n desc \"Using an authentication device, such as a CAC or token that is separate from the information\nsystem, ensures that even if the information system is compromised, that compromise will not\naffect credentials stored on the authentication device.\n\nMultifactor solutions that\nrequire devices separate from information systems gaining access include, for example,\nhardware tokens providing time-based or challenge-response authenticators and smart\ncards such as the U.S. Government Personal Identity Verification card and the DoD Common\nAccess Card.\n\nA privileged account is defined as an information system account with\nauthorizations of a privileged user.\n\nRemote access is access to DoD nonpublic information\nsystems by an authorized user (or an information system) communicating through an external,\nnon-organization-controlled network. Remote access methods include, for example,\ndial-up, broadband, and wireless.\n\nThis requirement only applies to components where this\nis specific to the function of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the purpose of configuring\nthe device itself (management). \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to implement multifactor authentication by\ninstalling the required packages.\n\nInstall the \\\"libpam-pkcs11\\\" package on the system with\nthe following command:\n\n$ sudo apt install libpam-pkcs11 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000375-GPOS-00160 '\n tag gid: 'V-238230 '\n tag rid: 'SV-238230r853410_rule '\n tag stig_id: 'UBTU-20-010063 '\n tag fix_id: 'F-41399r653864_fix '\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238230.rb", "line": 1 @@ -1971,9 +2050,10 @@ "nist": [ "AC-2 (4)", "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238239' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/group. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\ngroup\n\n-w /etc/group -p wa -k usergroup_modification\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/group\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/group -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238239 '\n tag rid: 'SV-238239r853417_rule '\n tag stig_id: 'UBTU-20-010101 '\n tag fix_id: 'F-41408r653891_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/group'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238239.rb", "line": 1 @@ -2002,9 +2082,10 @@ ], "nist": [ "IA-7" - ] + ], + "host": null }, - "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", + "code": "control 'SV-238325' do\n title \"The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved\ncryptographic hashing algorithm. \"\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS\n140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is\nbeing used to hash passwords with the following command:\n\n$ cat /etc/login.defs | grep -i\nencrypt_method\n\nENCRYPT_METHOD SHA512\n\nIf \\\"ENCRYPT_METHOD\\\" does not equal SHA512 or\ngreater, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to encrypt all stored passwords.\n\nEdit/modify the\nfollowing line in the \\\"/etc/login.defs\\\" file and set \\\"ENCRYPT_METHOD\\\" to SHA512:\n\n\nENCRYPT_METHOD SHA512 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000120-GPOS-00061 '\n tag gid: 'V-238325 '\n tag rid: 'SV-238325r654150_rule '\n tag stig_id: 'UBTU-20-010404 '\n tag fix_id: 'F-41494r654149_fix '\n tag cci: ['CCI-000803']\n tag nist: ['IA-7']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n elsif virtualization.system.eql?('docker')\n describe 'Manual test' do\n skip 'This control must be reviewed manually'\n end\n else\n describe login_defs do\n its('ENCRYPT_METHOD') { should eq 'SHA512' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238325.rb", "line": 1 @@ -2033,9 +2114,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238374' do\n title 'The Ubuntu operating system must have an application firewall enabled. '\n desc \"Firewalls protect computers from network attacks by blocking or limiting access to open\nnetwork ports. Application firewalls limit which applications are allowed to communicate\nover the network. \"\n desc 'check', \"Verify the Uncomplicated Firewall is enabled on the system by running the following command:\n\n\n$ systemctl status ufw.service | grep -i \\\"active:\\\"\n\nActive: active (exited) since Mon\n2016-10-17 12:30:29 CDT; 1s ago\n\nIf the above command returns the status as \\\"inactive\\\", this\nis a finding.\n\nIf the Uncomplicated Firewall is not installed, ask the System Administrator\nif another application firewall is installed. If no application firewall is installed, this\nis a finding. \"\n desc 'fix', \"Enable the Uncomplicated Firewall by using the following command:\n\n$ sudo systemctl enable\nufw.service\n\nIf the Uncomplicated Firewall is not currently running on the system, start it\nwith the following command:\n\n$ sudo systemctl start ufw.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00232 '\n tag gid: 'V-238374 '\n tag rid: 'SV-238374r654297_rule '\n tag stig_id: 'UBTU-20-010454 '\n tag fix_id: 'F-41543r654296_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ufw') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { "ref": "./controls/SV-238374.rb", "line": 1 @@ -2064,9 +2147,11 @@ ], "nist": [ "AU-8 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", + "code": "control 'SV-238356' do\n title \"The Ubuntu operating system must, for networked systems, compare internal information\nsystem clocks at least every 24 hours with a server which is synchronized to one of the\nredundant United States Naval Observatory (USNO) time servers, or a time server designated\nfor the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System\n(GPS). \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events. Sources\noutside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing\ninternal information system clocks provides uniformity of time stamps for information\nsystems with multiple system clocks and systems connected over a network.\n\nOrganizations\nshould consider endpoints that may not have regular access to the authoritative time server\n(e.g., mobile, teleworking, and tactical endpoints). \"\n desc 'check', \"If the system is not networked, this requirement is Not Applicable.\n\nThe system clock must be\nconfigured to compare the system clock at least every 24 hours to the authoritative time\nsource.\n\nCheck the value of \\\"maxpoll\\\" in the \\\"/etc/chrony/chrony.conf\\\" file with the\nfollowing command:\n\n$ sudo grep maxpoll /etc/chrony/chrony.conf\nserver\ntick.usno.navy.mil iburst maxpoll 16\n\nIf the \\\"maxpoll\\\" option is set to a number greater\nthan 16 or the line is commented out, this is a finding.\n\nVerify that the \\\"chrony.conf\\\" file is\nconfigured to an authoritative DoD time source by running the following command:\n\n$ grep -i\nserver /etc/chrony/chrony.conf\nserver tick.usno.navy.mil iburst maxpoll 16\nserver\ntock.usno.navy.mil iburst maxpoll 16\nserver ntp2.usno.navy.mil iburst maxpoll 16\n\nIf\nthe parameter \\\"server\\\" is not set, is not set to an authoritative DoD time source, or is\ncommented out, this is a finding. \"\n desc 'fix', \"If the system is not networked, this requirement is Not Applicable.\n\nTo configure the system\nclock to compare the system clock at least every 24 hours to the authoritative time source,\nedit the \\\"/etc/chrony/chrony.conf\\\" file. Add or correct the following lines, by replacing\n\\\"[source]\\\" in the following line with an authoritative DoD time source:\n\nserver [source]\niburst maxpoll = 16\n\nIf the \\\"chrony\\\" service was running and the value of \\\"maxpoll\\\" or\n\\\"server\\\" was updated, the service must be restarted using the following command:\n\n$ sudo\nsystemctl restart chrony.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000355-GPOS-00143 '\n tag gid: 'V-238356 '\n tag rid: 'SV-238356r853431_rule '\n tag stig_id: 'UBTU-20-010435 '\n tag fix_id: 'F-41525r808491_fix '\n tag cci: ['CCI-001891']\n tag nist: ['AU-8 (1) (a)']\n tag 'host', 'container'\n\n is_system_networked = input('is_system_networked')\n\n if is_system_networked\n\n chrony_conf = input('chrony_config_file')\n chrony_conf_exists = file(chrony_conf).exist?\n\n if chrony_conf_exists\n describe 'time sources' do\n server_entries = command('grep \"^server\" /etc/chrony/chrony.conf').stdout.strip.split(\"\\n\").entries\n\n server_entries.each do |entry|\n describe entry do\n it { should match \"^server\\s+.*\\s+iburst\\s+maxpoll\\s+=\\s+17$\" }\n end\n end\n end\n else\n describe chrony_conf + ' exists' do\n subject { chrony_conf_exists }\n it { should be true }\n end\n end\n else\n describe 'System is not networked' do\n skip 'This control is Not Applicable as the system is not networked'\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238356.rb", "line": 1 @@ -2095,9 +2180,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", + "code": "control 'SV-238341' do\n title \"The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by\nadm. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be\ngroup-owned by adm with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log/syslog\n\n/var/log/syslog adm\n\nIf the \\\"/var/log/syslog\\\" file is not group-owned by adm, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have adm group-own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chgrp adm /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238341 '\n tag rid: 'SV-238341r654198_rule '\n tag stig_id: 'UBTU-20-010420 '\n tag fix_id: 'F-41510r654197_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('group') { should cmp 'adm' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238341.rb", "line": 1 @@ -2126,9 +2213,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238317' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/btmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/btmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/btmp'\n\n-w\n/var/log/btmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/btmp file\\\".\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/btmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238317 '\n tag rid: 'SV-238317r654126_rule '\n tag stig_id: 'UBTU-20-010279 '\n tag fix_id: 'F-41486r654125_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/btmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238317.rb", "line": 1 @@ -2157,9 +2245,11 @@ ], "nist": [ "IA-5 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238225' do\n title 'The Ubuntu operating system must enforce a minimum 15-character password length. '\n desc \"The shorter the password, the lower the number of possible combinations that need to be tested\nbefore the password is compromised.\n\nPassword complexity, or strength, is a measure of the\neffectiveness of a password in resisting attempts at guessing and brute-force attacks.\nPassword length is one factor of several that helps to determine strength and how long it takes\nto crack a password. Use of more characters in a password helps to exponentially increase the\ntime and/or resources required to compromise the password. \"\n desc 'check', \"Verify the pwquality configuration file enforces a minimum 15-character password length by\nrunning the following command:\n\n$ grep -i minlen\n/etc/security/pwquality.conf\nminlen=15\n\nIf \\\"minlen\\\" parameter value is not \\\"15\\\" or\nhigher or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a minimum 15-character password length.\n\n\nAdd or modify the \\\"minlen\\\" parameter value to the \\\"/etc/security/pwquality.conf\\\" file:\n\n\nminlen=15 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000078-GPOS-00046 '\n tag gid: 'V-238225 '\n tag rid: 'SV-238225r832942_rule '\n tag stig_id: 'UBTU-20-010054 '\n tag fix_id: 'F-41394r653849_fix '\n tag cci: ['CCI-000205']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('minlen') { should cmp >= '15' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238225.rb", "line": 1 @@ -2188,9 +2278,11 @@ ], "nist": [ "IA-5 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238222' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nlower-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none lower-case character be used.\n\nDetermine if the field \\\"lcredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"lcredit\\\"\n/etc/security/pwquality.conf\nlcredit=-1\n\nIf the \\\"lcredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"lcredit\\\" parameter:\n\n\nlcredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000070-GPOS-00038 '\n tag gid: 'V-238222 '\n tag rid: 'SV-238222r653841_rule '\n tag stig_id: 'UBTU-20-010051 '\n tag fix_id: 'F-41391r653840_fix '\n tag cci: ['CCI-000193']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('lcredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238222.rb", "line": 1 @@ -2219,9 +2311,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n", + "code": "control 'SV-251503' do\n title 'The Ubuntu operating system must not have accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"Check the \\\"/etc/shadow\\\" file for blank passwords with the following command:\n\n$ sudo awk -F:\n'!$2 {print $1}' /etc/shadow\n\nIf the command returns any results, this is a finding. \"\n desc 'fix', \"Configure all accounts on the system to have a password or lock the account with the following\ncommands:\n\nPerform a password reset:\n$ sudo passwd [username]\nLock an account:\n$ sudo\npasswd -l [username] \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251503 '\n tag rid: 'SV-251503r808506_rule '\n tag stig_id: 'UBTU-20-010462 '\n tag fix_id: 'F-54892r808505_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe command(\"sudo awk -F: '!$2 {print $1}' /etc/shadow\") do\n its('stdout') { should be_empty }\n end\nend\n", "source_location": { "ref": "./controls/SV-251503.rb", "line": 1 @@ -2250,9 +2344,11 @@ ], "nist": [ "AC-8 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", + "code": "control 'SV-238197' do\n title \"The Ubuntu operating system must enable the graphical user logon banner to display the\nStandard Mandatory DoD Notice and Consent Banner before granting local access to the system\nvia a graphical user logon. \"\n desc \"Display of a standardized and approved use notification before granting access to the Ubuntu\noperating system ensures privacy and security notification verbiage used is consistent\nwith applicable federal laws, Executive Orders, directives, policies, regulations,\nstandards, and guidance.\n\nSystem use notifications are required only for access via logon\ninterfaces with human users and are not required when such human interfaces do not exist.\n\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following\nverbiage for operating systems that can accommodate banners of 1300 characters:\n\n\\\"You are\naccessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\" \"\n desc 'check', \"Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD\nNotice and Consent Banner before granting access to the operating system via a graphical user\nlogon.\n\nNote: If the system does not have a graphical user interface installed, this\nrequirement is Not Applicable.\n\nCheck that the operating banner message for the graphical\nuser logon is enabled with the following command:\n\n$ grep ^banner-message-enable\n/etc/gdm3/greeter.dconf-defaults\n\nbanner-message-enable=true\n\nIf the line is\ncommented out or set to \\\"false\\\", this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/gdm3/greeter.dconf-defaults\\\" file.\n\nLook for the\n\\\"banner-message-enable\\\" parameter under the \\\"[org/gnome/login-screen]\\\" section and\nuncomment it (remove the leading \\\"#\\\" characters):\n\nNote: The lines are all near the bottom of\nthe file but not adjacent to each other.\n\n[org/gnome/login-screen]\n\n\nbanner-message-enable=true\n\nUpdate the GDM with the new configuration:\n\n$ sudo dconf\nupdate\n$ sudo systemctl restart gdm3 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000023-GPOS-00006 '\n tag gid: 'V-238197 '\n tag rid: 'SV-238197r653766_rule '\n tag stig_id: 'UBTU-20-010002 '\n tag fix_id: 'F-41366r653765_fix '\n tag cci: ['CCI-000048']\n tag nist: ['AC-8 a']\n tag 'host', 'container'\n\n xorg_status = command('which Xorg').exit_status\n\n if xorg_status == 0\n describe 'banner-message-enable must be set to true' do\n subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }\n its('stdout') { should match(/(banner-message-enable).+=.+(true)/) }\n end\n else\n describe command('which Xorg').exit_status do\n skip(\"GUI not installed.\\nwhich Xorg exit_status: \" + command('which Xorg').exit_status.to_s)\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238197.rb", "line": 1 @@ -2281,9 +2377,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238277' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudo command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"sudo\\\"\ncommand.\n\nCheck the configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep /usr/bin/sudo\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F\nauid!=-1 -k priv_cmd\n\nIf the command does not return a line that matches the example or the\nline is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudo\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/sudo -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238277 '\n tag rid: 'SV-238277r654006_rule '\n tag stig_id: 'UBTU-20-010161 '\n tag fix_id: 'F-41446r654005_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudo'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238277.rb", "line": 1 @@ -2312,9 +2409,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238318' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use modprobe command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"modprobe\\\" by running the following command:\n\n$ sudo auditctl -l | grep\n\\\"/sbin/modprobe\\\"\n\n-w /sbin/modprobe -p x -k modules\n\nIf the command does not return a line,\nor the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"modprobe\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /sbin/modprobe -p x -k modules\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238318 '\n tag rid: 'SV-238318r654129_rule '\n tag stig_id: 'UBTU-20-010296 '\n tag fix_id: 'F-41487r654128_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/modprobe'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238318.rb", "line": 1 @@ -2343,9 +2441,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238349' do\n title 'The Ubuntu operating system library files must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\",\nand \\\"/usr/lib\\\" are owned by root with the following command:\n\n$ sudo find /lib /usr/lib\n/lib64 ! -user root -type f -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library file is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238349 '\n tag rid: 'SV-238349r654222_rule '\n tag stig_id: 'UBTU-20-010428 '\n tag fix_id: 'F-41518r654221_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238349.rb", "line": 1 @@ -2374,9 +2474,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", + "code": "control 'SV-238220' do\n title \"The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy\ndisplay. \"\n desc \"When X11 forwarding is enabled, there may be additional exposure to the server and client\ndisplays if the sshd proxy display is configured to listen on the wildcard address. By\ndefault, sshd binds the forwarding server to the loopback address and sets the hostname part\nof the DISPLAY environment variable to localhost. This prevents remote hosts from\nconnecting to the proxy display. \"\n desc 'check', \"Verify the SSH daemon prevents remote hosts from connecting to the proxy display.\n\nCheck the\nSSH X11UseLocalhost setting with the following command:\n\n$ sudo grep -ir x11uselocalhost\n/etc/ssh/sshd_config*\nX11UseLocalhost yes\n\nIf the \\\"X11UseLocalhost\\\" keyword is set to\n\\\"no\\\", is missing, or is commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.\n\nEdit\nthe \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11UseLocalhost\\\"\nkeyword and set its value to \\\"yes\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\n\nX11UseLocalhost yes\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo\nsystemctl restart sshd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238220 '\n tag rid: 'SV-238220r858535_rule '\n tag stig_id: 'UBTU-20-010049 '\n tag fix_id: 'F-41389r653834_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11UseLocalhost') { should cmp 'yes' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238220.rb", "line": 1 @@ -2405,9 +2507,11 @@ ], "nist": [ "SC-23 (5)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n", + "code": "control 'SV-238364' do\n title \"The Ubuntu operating system must only allow the use of DoD PKI-established certificate\nauthorities for verification of the establishment of protected sessions. \"\n desc \"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by\norganizations or individuals that seek to compromise DoD systems or by organizations with\ninsufficient security controls. If the CA used for verifying the certificate is not a\nDoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept\nPKI-certificates obtained from a DoD-approved internal or external certificate\nauthority. Reliance on CAs for the establishment of secure sessions includes, for example,\nthe use of SSL/TLS certificates. \"\n desc 'check', \"Verify the directory containing the root certificates for the Ubuntu operating system\n(/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate\nauthorities.\n\nDetermine if \\\"/etc/ssl/certs\\\" only contains certificate files whose\nsha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities\nwith the following command:\n\n$ for f in $(realpath /etc/ssl/certs/*); do openssl x509\n-sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)';\ndone\n\nIf any entry is found, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to only allow the use of DoD PKI-established\ncertificate authorities for verification of the establishment of protected sessions.\n\n\nEdit the \\\"/etc/ca-certificates.conf\\\" file, adding the character \\\"!\\\" to the beginning of\nall uncommented lines that do not start with the \\\"!\\\" character with the following command:\n\n$\nsudo sed -i -E 's/^([^!#]+)/!\\\\1/' /etc/ca-certificates.conf\n\nAdd at least one DoD\ncertificate authority to the \\\"/usr/local/share/ca-certificates\\\" directory in the PEM\nformat.\n\nUpdate the \\\"/etc/ssl/certs\\\" directory with the following command:\n\n$ sudo\nupdate-ca-certificates \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000403-GPOS-00182 '\n tag gid: 'V-238364 '\n tag rid: 'SV-238364r860824_rule '\n tag stig_id: 'UBTU-20-010443 '\n tag fix_id: 'F-41533r860823_fix '\n tag cci: ['CCI-002470']\n tag nist: ['SC-23 (5)']\n tag 'host', 'container'\n\n allowed_ca_fingerprints_regex = input('allowed_ca_fingerprints_regex')\n find_command = ''\"\n for f in $(find -L /etc/ssl/certs -type f); do\n openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '#{allowed_ca_fingerprints_regex}'\n done\n \"''\n describe command(find_command) do\n its('stdout') { should cmp '' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238364.rb", "line": 1 @@ -2436,9 +2540,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238378' do\n title \"The Ubuntu operating system must have system commands group-owned by root or a system\naccount. \"\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories are group-owned by root or\na required system account:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n\n/usr/local/sbin\n\nRun the check with the following command:\n\n$ sudo find -L /bin /sbin\n/usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec\nstat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands are returned that are not Set Group ID upon\nexecution (SGID) files and group-owned by a required system account, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand, replacing \\\"[FILE]\\\" with any system command file not group-owned by \\\"root\\\" or a\nrequired system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238378 '\n tag rid: 'SV-238378r832971_rule '\n tag stig_id: 'UBTU-20-010458 '\n tag fix_id: 'F-41547r832970_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -perm /2000 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are not Set Group ID up on execution (SGID) files and owned by a privileged account' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238378.rb", "line": 1 @@ -2472,9 +2578,10 @@ ], "nist": [ "AU-9 a" - ] + ], + "host": null }, - "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238246' do\n title \"The Ubuntu operating system must be configured to permit only authorized users ownership of\nthe audit log files. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the audit log files are owned by \\\"root\\\" account.\n\nDetermine where the audit logs are\nstored with the following command:\n\n$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the\naudit logs, determine if the audit log files are owned by the \\\"root\\\" user by using the following\ncommand:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/audit/*\n/var/log/audit/audit.log root\n\nIf the\naudit log files are owned by an user other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" user.\n\n\nDetermine where the audit logs are stored with the following command:\n\n$ sudo grep -iw\nlog_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path\nof the directory containing the audit logs, configure the audit log files to be owned by \\\"root\\\"\nuser by using the following command:\n\n$ sudo chown root /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238246 '\n tag rid: 'SV-238246r653913_rule '\n tag stig_id: 'UBTU-20-010123 '\n tag fix_id: 'F-41415r653912_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('owner') { should cmp 'root' }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238246.rb", "line": 1 @@ -2503,9 +2610,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-238218' do\n title 'The Ubuntu operating system must not allow unattended or automatic login via SSH. '\n desc \"Failure to restrict system access to authenticated users negatively impacts Ubuntu\noperating system security. \"\n desc 'check', \"Verify that unattended or automatic login via SSH is disabled with the following command:\n\n$\negrep -r '(Permit(.*?)(Passwords|Environment))'\n/etc/ssh/sshd_config\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\nIf\n\\\"PermitEmptyPasswords\\\" or \\\"PermitUserEnvironment\\\" keywords are not set to \\\"no\\\", are\nmissing completely, or are commented out, this is a finding.\nIf conflicting results are\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or\nautomatic login to the system.\n\nAdd or edit the following lines in the\n\\\"/etc/ssh/sshd_config\\\" file:\n\nPermitEmptyPasswords no\nPermitUserEnvironment no\n\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00229 '\n tag gid: 'V-238218 '\n tag rid: 'SV-238218r858531_rule '\n tag stig_id: 'UBTU-20-010047 '\n tag fix_id: 'F-41387r653828_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('PermitEmptyPasswords') { should cmp 'no' }\n its('PermitUserEnvironment') { should cmp 'no' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238218.rb", "line": 1 @@ -2534,9 +2643,11 @@ ], "nist": [ "SI-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n", + "code": "control 'SV-238236' do\n title \"The Ubuntu operating system must be configured so that the script which runs each 30 days or\nless to check file integrity is the default one. \"\n desc \"Without verification of the security functions, security functions may not operate\ncorrectly and the failure may go unnoticed. Security function is defined as the hardware,\nsoftware, and/or firmware of the information system responsible for enforcing the system\nsecurity policy and supporting the isolation of code and data on which the protection is\nbased. Security functionality includes, but is not limited to, establishing system\naccounts, configuring access authorizations (i.e., permissions, privileges), setting\nevents to be audited, and setting intrusion detection parameters.\n\nNotifications\nprovided by information systems include, for example, electronic alerts to System\nAdministrators, messages to local computer consoles, and/or hardware indications, such as\nlights.\n\nThis requirement applies to the Ubuntu operating system performing security\nfunction verification/testing and/or systems and environments that require this\nfunctionality. \"\n desc 'check', \"Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to\ncheck file integrity each 30 days or less is unchanged.\n\nDownload the original aide-common\npackage in the /tmp directory:\n\n$ cd /tmp; apt download aide-common\n\nFetch the SHA1 of the\noriginal script file:\n\n$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO\n./usr/share/aide/config/cron.daily/aide | sha1sum\n\n32958374f18871e3f7dda27a58d721f471843e26 -\n\nCompare with the SHA1 of the file in the\ndaily or monthly cron directory:\n\n$ sha1sum /etc/cron.{daily,monthly}/aide\n2>/dev/null\n32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide\n\nIf\nthere is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the\ndaily or monthly cron directory does not match the SHA1 of the original, this is a finding. \"\n desc 'fix', \"The cron file for AIDE is fairly complex as it creates the report. This file is installed with\nthe \\\"aide-common\\\" package, and the default can be restored by copying it from the package:\n\n\nDownload the original package to the /tmp dir:\n\n$ cd /tmp; apt download aide-common\n\n\nExtract the aide script to its original place:\n\n$ dpkg-deb --fsys-tarfile\n/tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C /\n\n\nCopy it to the cron.daily directory:\n\n$ sudo cp -f\n/usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000446-GPOS-00200 '\n tag gid: 'V-238236 '\n tag rid: 'SV-238236r853415_rule '\n tag stig_id: 'UBTU-20-010074 '\n tag fix_id: 'F-41405r653882_fix '\n tag cci: ['CCI-002699']\n tag nist: ['SI-6 b']\n tag 'host', 'container'\n\n describe('Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.') do\n skip('manual test')\n end\nend\n", "source_location": { "ref": "./controls/SV-238236.rb", "line": 1 @@ -2569,9 +2680,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238268' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chmod, fchmod, and fchmodat system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F\narch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k\nperm_chng\n\nIf the command does not return audit rules for the \\\"chmod\\\", \\\"fchmod\\\" and\n\\\"fchmodat\\\" syscalls or the lines are commented out, this is a finding.\n\nNotes:\nFor 32-bit\narchitectures, only the 32-bit specific output lines from the commands are required.\nThe\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chmod\\\", \\\"fchmod\\\", and \\\"fchmodat\\\" system calls.\n\nAdd or update the following rules in\nthe \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a always,exit\n-F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238268 '\n tag rid: 'SV-238268r808480_rule '\n tag stig_id: 'UBTU-20-010152 '\n tag fix_id: 'F-41437r808479_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chmod').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chmod').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238268.rb", "line": 1 @@ -2605,9 +2717,10 @@ ], "nist": [ "AU-9 a" - ] + ], + "host": null }, - "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238245.rb", "line": 1 @@ -2636,9 +2749,10 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null }, - "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n", + "code": "control 'SV-238228' do\n title \"The Ubuntu operating system must be configured so that when passwords are changed or new\npasswords are established, pwquality must be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks. \\\"pwquality\\\" enforces complex\npassword construction configuration and has the ability to limit brute-force attacks on the\nsystem. \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"libpam-pwquality\\\" package installed by running\nthe following command:\n\n$ dpkg -l libpam-pwquality\n\nii libpam-pwquality:amd64 1.4.0-2\namd64 PAM module to check password strength\n\nIf \\\"libpam-pwquality\\\" is not installed, this\nis a finding.\n\nVerify that the operating system uses \\\"pwquality\\\" to enforce the password\ncomplexity rules.\n\nVerify the pwquality module is being enforced by the Ubuntu operating\nsystem by running the following command:\n\n$ grep -i enforcing\n/etc/security/pwquality.conf\n\nenforcing = 1\n\nIf the value of \\\"enforcing\\\" is not \\\"1\\\" or the\nline is commented out, this is a finding.\n\nCheck for the use of \\\"pwquality\\\" with the following\ncommand:\n\n$ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality\n\n\npassword requisite pam_pwquality.so retry=3\n\nIf no output is returned or the line is\ncommented out, this is a finding.\n\nIf the value of \\\"retry\\\" is set to \\\"0\\\" or greater than \\\"3\\\",\nthis is a finding. \"\n desc 'fix', \"Configure the operating system to use \\\"pwquality\\\" to enforce password complexity rules.\n\n\nInstall the \\\"pam_pwquality\\\" package by using the following command:\n\n$ sudo apt-get\ninstall libpam-pwquality -y\n\nAdd the following line to \\\"/etc/security/pwquality.conf\\\"\n(or modify the line to have the required value):\n\nenforcing = 1\n\nAdd the following line to\n\\\"/etc/pam.d/common-password\\\" (or modify the line to have the required value):\n\npassword\nrequisite pam_pwquality.so retry=3\n\nNote: The value of \\\"retry\\\" should be between \\\"1\\\" and\n\\\"3\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238228 '\n tag rid: 'SV-238228r653859_rule '\n tag stig_id: 'UBTU-20-010057 '\n tag fix_id: 'F-41397r653858_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe package('libpam-pwquality') do\n it { should be_installed }\n end\n\n describe parse_config_file('/etc/security/pwquality.conf') do\n its('enforcing') { should cmp 1 }\n end\n\n describe file('/etc/pam.d/common-password') do\n its('content') { should match '^password\\s+requisite\\s+pam_pwquality.so\\s+retry=3\\s+enforce_for_root$' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238228.rb", "line": 1 @@ -2675,9 +2789,11 @@ "nist": [ "SC-8", "SC-8 (2)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238215' do\n title \"The Ubuntu operating system must use SSH to protect the confidentiality and integrity of\ntransmitted information. \"\n desc \"Without protection of the transmitted information, confidentiality and integrity may be\ncompromised because unprotected communications can be intercepted and either read or\naltered.\n\nThis requirement applies to both internal and external networks and all types of\ninformation system components from which information can be transmitted (e.g., servers,\nmobile devices, notebook computers, printers, copiers, scanners, and facsimile\nmachines). Communication paths outside the physical protection of a controlled boundary\nare exposed to the possibility of interception and modification.\n\nProtecting the\nconfidentiality and integrity of organizational information can be accomplished by\nphysical means (e.g., employing physical distribution systems) or by logical means (e.g.,\nemploying cryptographic techniques). If physical means of protection are employed, then\nlogical means (cryptography) do not have to be employed, and vice versa.\n\n \"\n desc 'check', \"Verify the SSH package is installed with the following command:\n\n$ sudo dpkg -l | grep openssh\n\nii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access\nto remote machines\nii openssh-server 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) server,\nfor secure access from remote machines\nii openssh-sftp-server 1:7.6p1-4ubuntu0.1 amd64\nsecure shell (SSH) sftp server module, for SFTP access from remote machines\n\nIf the\n\\\"openssh\\\" server package is not installed, this is a finding.\n\nVerify the \\\"sshd.service\\\" is\nloaded and active with the following command:\n\n$ sudo systemctl status sshd.service | egrep\n-i \\\"(active|loaded)\\\"\n Loaded: loaded (/lib/systemd/system/ssh.service; enabled;\nvendor preset: enabled)\n Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1\nweeks 3 days ago\n\nIf \\\"sshd.service\\\" is not active or loaded, this is a finding. \"\n desc 'fix', \"Install the \\\"ssh\\\" meta-package on the system with the following command:\n\n$ sudo apt install\nssh\n\nEnable the \\\"ssh\\\" service to start automatically on reboot with the following command:\n\n\n$ sudo systemctl enable sshd.service\n\nensure the \\\"ssh\\\" service is running\n\n$ sudo\nsystemctl start sshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000423-GPOS-00187 '\n tag satisfies: %w(SRG-OS-000423-GPOS-00187 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190)\n tag gid: 'V-238215 '\n tag rid: 'SV-238215r853406_rule '\n tag stig_id: 'UBTU-20-010042 '\n tag fix_id: 'F-41384r653819_fix '\n tag cci: %w(CCI-002418 CCI-002420 CCI-002422)\n tag nist: ['SC-8', 'SC-8 (2)']\n tag 'host', 'container'\n\n describe package('openssh-client') do\n it { should be_installed }\n end\n\n describe package('openssh-server') do\n it { should be_installed }\n end\n\n describe package('openssh-sftp-server') do\n it { should be_installed }\n end\n\n describe service('sshd') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\nend\n", "source_location": { "ref": "./controls/SV-238215.rb", "line": 1 @@ -2711,9 +2827,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238287' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of the\nlastlog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record when successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file occur.\n\nCheck the currently configured audit rules\nwith the following command:\n\n$ sudo auditctl -l | grep lastlog\n\n-w /var/log/lastlog -p wa -k\nlogins\n\nIf the command does not return a line that matches the example or the line is commented\nout, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and\nthe string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"lastlog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/lastlog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238287 '\n tag rid: 'SV-238287r654036_rule '\n tag stig_id: 'UBTU-20-010171 '\n tag fix_id: 'F-41456r654035_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/lastlog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238287.rb", "line": 1 @@ -2742,9 +2859,11 @@ ], "nist": [ "AU-8 (1) (b)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238357' do\n title \"The Ubuntu operating system must synchronize internal information system clocks to the\nauthoritative time source when the time difference is greater than one second. \"\n desc \"Inaccurate time stamps make it more difficult to correlate events and can lead to an\ninaccurate analysis. Determining the correct time a particular event occurred on a system is\ncritical when conducting forensic analysis and investigating system events.\n\n\nSynchronizing internal information system clocks provides uniformity of time stamps for\ninformation systems with multiple system clocks and systems connected over a network.\nOrganizations should consider setting time periods for different types of systems (e.g.,\nfinancial, legal, or mission-critical systems).\n\nOrganizations should also consider\nendpoints that may not have regular access to the authoritative time server (e.g., mobile,\nteleworking, and tactical endpoints). This requirement is related to the comparison done\nevery 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the\ntime difference. \"\n desc 'check', \"Verify the operating system synchronizes internal system clocks to the authoritative time\nsource when the time difference is greater than one second.\n\nCheck the value of \\\"makestep\\\" by\nrunning the following command:\n\n$ sudo grep makestep /etc/chrony/chrony.conf\n\nmakestep\n1 -1\n\nIf the makestep option is commented out or is not set to \\\"1 -1\\\", this is a finding. \"\n desc 'fix', \"Configure chrony to synchronize the internal system clocks to the authoritative source when\nthe time difference is greater than one second by doing the following:\n\nEdit the\n\\\"/etc/chrony/chrony.conf\\\" file and add:\n\nmakestep 1 -1\n\nRestart the chrony service:\n\n$\nsudo systemctl restart chrony.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000356-GPOS-00144 '\n tag gid: 'V-238357 '\n tag rid: 'SV-238357r853432_rule '\n tag stig_id: 'UBTU-20-010436 '\n tag fix_id: 'F-41526r654245_fix '\n tag cci: ['CCI-002046']\n tag nist: ['AU-8 (1) (b)']\n tag 'host', 'container'\n\n chrony_file_path = input('chrony_config_file')\n chrony_file = file(chrony_file_path)\n\n if chrony_file.exist?\n describe chrony_file do\n subject { chrony_file }\n its('content') { should match(/^makestep 1 -1/) }\n end\n else\n describe(chrony_file_path + ' exists') do\n subject { chrony_file.exist? }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238357.rb", "line": 1 @@ -2773,9 +2892,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238291' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chage command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"chage\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w chage\n\n-a always,exit -F path=/usr/bin/chage -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-chage\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"chage\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chage -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238291 '\n tag rid: 'SV-238291r654048_rule '\n tag stig_id: 'UBTU-20-010175 '\n tag fix_id: 'F-41460r654047_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chage'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238291.rb", "line": 1 @@ -2804,9 +2924,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", + "code": "control 'SV-238209' do\n title \"The Ubuntu operating system default filesystem permissions must be defined in such a way that\nall authenticated users can read and modify only their own files. \"\n desc \"Setting the most restrictive default permissions ensures that when new accounts are created\nthey do not have unnecessary access. \"\n desc 'check', \"Verify the Ubuntu operating system defines default permissions for all authenticated users\nin such a way that the user can read and modify only their own files.\n\nVerify the Ubuntu\noperating system defines default permissions for all authenticated users with the\nfollowing command:\n\n$ grep -i \\\"umask\\\" /etc/login.defs\n\nUMASK 077\n\nIf the \\\"UMASK\\\"\nvariable is set to \\\"000\\\", this is a finding with the severity raised to a CAT I.\n\nIf the value of\n\\\"UMASK\\\" is not set to \\\"077\\\", is commented out, or is missing completely, this is a finding. \"\n desc 'fix', \"Configure the system to define the default permissions for all authenticated users in such a\nway that the user can read and modify only their own files.\n\nEdit the \\\"UMASK\\\" parameter in the\n\\\"/etc/login.defs\\\" file to match the example below:\n\nUMASK 077 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00228 '\n tag gid: 'V-238209 '\n tag rid: 'SV-238209r653802_rule '\n tag stig_id: 'UBTU-20-010016 '\n tag fix_id: 'F-41378r653801_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe login_defs do\n its('UMASK') { should eq '077' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238209.rb", "line": 1 @@ -2835,9 +2957,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238255' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the umount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify if the Ubuntu operating system generates audit records upon\nsuccessful/unsuccessful attempts to use the \\\"umount\\\" command.\n\nCheck the configured\naudit rules with the following commands:\n\n$ sudo auditctl -l | grep '/usr/bin/umount'\n\n-a\nalways,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-umount\n\nIf the command does not return lines that match the example or the lines\nare commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"umount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/umount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238255 '\n tag rid: 'SV-238255r653940_rule '\n tag stig_id: 'UBTU-20-010139 '\n tag fix_id: 'F-41424r653939_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/umount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238255.rb", "line": 1 @@ -2866,9 +2989,11 @@ ], "nist": [ "AC-12" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n", + "code": "control 'SV-238207' do\n title \"The Ubuntu operating system must automatically terminate a user session after inactivity\ntimeouts have expired. \"\n desc \"Automatic session termination addresses the termination of user-initiated logical\nsessions in contrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on behalf of a\nuser) accesses an organizational information system. Such user sessions can be terminated\n(and thus terminate user access) without terminating network sessions.\n\nSession\ntermination terminates all processes associated with a user's logical session except those\nprocesses that are specifically created by the user (i.e., session owner) to continue after\nthe session is terminated.\n\nConditions or trigger events requiring automatic session\ntermination can include, for example, organization-defined periods of user inactivity,\ntargeted responses to certain types of incidents, and time-of-day restrictions on\ninformation system use.\n\nThis capability is typically reserved for specific operating\nsystem functionality where the system owner, data owner, or organization requires\nadditional assurance. \"\n desc 'check', \"Verify the operating system automatically terminates a user session after inactivity\ntimeouts have expired.\n\nCheck that \\\"TMOUT\\\" environment variable is set in the\n\\\"/etc/bash.bashrc\\\" file or in any file inside the \\\"/etc/profile.d/\\\" directory by\nperforming the following command:\n\n$ grep -E \\\"\\\\bTMOUT=[0-9]+\\\" /etc/bash.bashrc\n/etc/profile.d/*\n\nTMOUT=600\n\nIf \\\"TMOUT\\\" is not set, or if the value is \\\"0\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the operating system to automatically terminate a user session after inactivity\ntimeouts have expired or at shutdown.\n\nCreate the file\n\\\"/etc/profile.d/99-terminal_tmout.sh\\\" file if it does not exist.\n\nModify or append the\nfollowing line in the \\\"/etc/profile.d/99-terminal_tmout.sh \\\" file:\n\nTMOUT=600\n\nThis\nwill set a timeout value of 10 minutes for all future sessions.\n\nTo set the timeout for the\ncurrent sessions, execute the following command over the terminal session:\n\n$ export\nTMOUT=600 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000279-GPOS-00109 '\n tag gid: 'V-238207 '\n tag rid: 'SV-238207r853404_rule '\n tag stig_id: 'UBTU-20-010013 '\n tag fix_id: 'F-41376r653795_fix '\n tag cci: ['CCI-002361']\n tag nist: ['AC-12']\n tag 'host', 'container'\n\n profile_files = command('find /etc/profile.d/ /etc/bash.bashrc -type f').stdout.strip.split(\"\\n\").entries\n timeout = input('tmout').to_s\n\n describe.one do\n profile_files.each do |pf|\n describe file(pf.strip) do\n its('content') { should match \"^TMOUT=#{timeout}$\" }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238207.rb", "line": 1 @@ -2897,9 +3022,11 @@ ], "nist": [ "AC-2 (2)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n", + "code": "control 'SV-238331' do\n title \"The Ubuntu operating system must automatically remove or disable emergency accounts after\n72 hours. \"\n desc \"Emergency accounts are different from infrequently used accounts (i.e., local logon\naccounts used by the organization's System Administrator\ns when network or normal\nlogon/access is not available). Infrequently used accounts are not subject to automatic\ntermination dates. Emergency accounts are accounts created in response to crisis\nsituations, usually for use by maintenance personnel. The automatic expiration or\ndisabling time period may be extended as needed until the crisis is resolved; however, it must\nnot be extended indefinitely. A permanent account should be established for privileged\nusers who need long-term maintenance accounts. \"\n desc 'check', \"Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.\n\nFor\nevery emergency account, run the following command to obtain its account expiration\ninformation:\n\n$ sudo chage -l account_name | grep expires\n\nPassword expires : Aug 07, 2019\n\nAccount expires : Aug 07, 2019\n\nVerify each of these accounts has an expiration date set\nwithin 72 hours of account creation.\n\nIf any of these accounts do not expire within 72 hours of\nthat account's creation, this is a finding. \"\n desc 'fix', \"If an emergency account must be created, configure the system to terminate the account after a\n72-hour time period with the following command to set an expiration date on it. Substitute\n\\\"account_name\\\" with the account to be created.\n\n$ sudo chage -E $(date -d \\\"+3 days\\\" +%F)\naccount_name \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000123-GPOS-00064 '\n tag gid: 'V-238331 '\n tag rid: 'SV-238331r654168_rule '\n tag stig_id: 'UBTU-20-010410 '\n tag fix_id: 'F-41500r654167_fix '\n tag cci: ['CCI-001682']\n tag nist: ['AC-2 (2)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if emergency account must be created\n the system must terminate the account after a 72 hour time period.'\n end\nend\n", "source_location": { "ref": "./controls/SV-238331.rb", "line": 1 @@ -2928,9 +3055,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n", + "code": "control 'SV-238340' do\n title \"The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory with a mode of\n750 or less permissive with the following command:\n\n$ stat -c \\\"%n %a\\\" /var/log\n\n/var/log 750\n\n\nIf a value of \\\"750\\\" or less permissive is not returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0750 for the \\\"/var/log\\\"\ndirectory by running the following command:\n\n$ sudo chmod 0750 /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238340 '\n tag rid: 'SV-238340r654195_rule '\n tag stig_id: 'UBTU-20-010419 '\n tag fix_id: 'F-41509r654194_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n it { should_not be_more_permissive_than('0750') }\n end\nend\n", "source_location": { "ref": "./controls/SV-238340.rb", "line": 1 @@ -2965,9 +3094,10 @@ "nist": [ "AU-9 a", "AU-9" - ] + ], + "host": null }, - "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238302.rb", "line": 1 @@ -2996,9 +3126,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238319' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the kmod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the module\nmanagement program \\\"kmod\\\".\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep kmod\n\n-w /bin/kmod -p x -k module\n\nIf the command does not\nreturn a line, or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the module management\nprogram \\\"kmod\\\".\n\nAdd or update the following rule in the \\\"/etc/audit/rules.d/stig.rules\\\"\nfile:\n\n-w /bin/kmod -p x -k modules\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238319 '\n tag rid: 'SV-238319r654132_rule '\n tag stig_id: 'UBTU-20-010297 '\n tag fix_id: 'F-41488r654131_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/kmod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238319.rb", "line": 1 @@ -3027,9 +3158,10 @@ ], "nist": [ "IA-5 (2) (a) (2)" - ] + ], + "host": null }, - "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238201' do\n title \"The Ubuntu operating system must map the authenticated identity to the user or group account\nfor PKI-based authentication. \"\n desc \"Without mapping the certificate used to authenticate to the user account, the ability to\ndetermine the identity of the individual user or group will not be available for forensic\nanalysis. \"\n desc 'check', \"Verify that \\\"use_mappers\\\" is set to \\\"pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" file:\n\n\n$ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf\nuse_mappers = pwent\n\nIf\n\\\"use_mappers\\\" is not found or the list does not contain \\\"pwent\\\" this is a finding. \"\n desc 'fix', \"Set \\\"use_mappers=pwent\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" or, if there is already a\ncomma-separated list of mappers, add it to the list, separated by comma, and before the null\nmapper.\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000068-GPOS-00036 '\n tag gid: 'V-238201 '\n tag rid: 'SV-238201r832933_rule '\n tag stig_id: 'UBTU-20-010006 '\n tag fix_id: 'F-41370r653777_fix '\n tag cci: ['CCI-000187']\n tag nist: ['IA-5 (2) (a) (2)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable inside a container' do\n skip 'This control is Not Applicable inside a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('use_mappers') { should cmp 'pwent' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238201.rb", "line": 1 @@ -3074,9 +3206,10 @@ "nist": [ "AC-2 (4)", "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238238.rb", "line": 1 @@ -3105,9 +3238,11 @@ ], "nist": [ "SC-28" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { "ref": "./controls/SV-238335.rb", "line": 1 @@ -3140,9 +3275,10 @@ ], "nist": [ "SC-13 b" - ] + ], + "host": null }, - "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238363' do\n title \"The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect\nclassified information and for the following: to provision digital signatures, to generate\ncryptographic hashes, and to protect unclassified information requiring confidentiality\nand cryptographic protection in accordance with applicable federal laws, Executive\nOrders, directives, policies, regulations, and standards. \"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of utilizing\nencryption to protect data. The operating system must implement cryptographic modules\nadhering to the higher standards approved by the federal government since this provides\nassurance they have been tested and validated.\n\n \"\n desc 'check', \"Verify the system is configured to run in FIPS mode with the following command:\n\n$ grep -i 1\n/proc/sys/crypto/fips_enabled\n1\n\nIf a value of \\\"1\\\" is not returned, this is a finding. \"\n desc 'fix', \"Configure the system to run in FIPS mode. Add \\\"fips=1\\\" to the kernel parameter during the\nUbuntu operating systems install.\n\nEnabling a FIPS mode on a pre-existing system involves a\nnumber of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS\n140-2 security policy document for instructions.\n\nA subscription to the \\\"Ubuntu\nAdvantage\\\" plan is required in order to obtain the FIPS Kernel cryptographic modules and\nenable FIPS. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000396-GPOS-00176 '\n tag satisfies: %w(SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223)\n tag gid: 'V-238363 '\n tag rid: 'SV-238363r853438_rule '\n tag stig_id: 'UBTU-20-010442 '\n tag fix_id: 'F-41532r654263_fix '\n tag cci: ['CCI-002450']\n tag nist: ['SC-13 b']\n tag 'host'\n\n if input('disable_fips')\n impact 0.0\n describe 'FIPS testing has been disabled' do\n skip 'This control has been set to Not Applicable, FIPS validation has been disabled with the `disable_fips` input'\n end\n elsif virtualization.system.eql?('docker')\n describe 'FIPS validation in a container must be reviewed manually' do\n skip 'FIPS validation in a container must be reviewed manually'\n end\n else\n config_file = input('fips_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe file(config_file) do\n its('content') { should match(/\\A1\\Z/) }\n end\n else\n describe('FIPS is enabled') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238363.rb", "line": 1 @@ -3171,9 +3307,11 @@ ], "nist": [ "IA-5 (1) (b)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238224' do\n title \"The Ubuntu operating system must require the change of at least 8 characters when passwords\nare changed. \"\n desc \"If the operating system allows the user to consecutively reuse extensive portions of\npasswords, this increases the chances of password compromise by increasing the window of\nopportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed\ncharacters refers to the number of changes required with respect to the total number of\npositions in the current password. In other words, characters may be the same within the two\npasswords; however, the positions of the like characters must be different.\n\nIf the\npassword length is an odd number then number of changed characters must be rounded up. For\nexample, a password length of 15 characters must require the change of at least 8 characters. \"\n desc 'check', \"Verify the Ubuntu operating system requires the change of at least eight characters when\npasswords are changed.\n\nDetermine if the field \\\"difok\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"difok\\\"\n/etc/security/pwquality.conf\ndifok=8\n\nIf the \\\"difok\\\" parameter is less than \\\"8\\\" or is\ncommented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to require the change of at least eight characters when\npasswords are changed.\n\nAdd or update the \\\"/etc/security/pwquality.conf\\\" file to include\nthe \\\"difok=8\\\" parameter:\n\ndifok=8 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000072-GPOS-00040 '\n tag gid: 'V-238224 '\n tag rid: 'SV-238224r653847_rule '\n tag stig_id: 'UBTU-20-010053 '\n tag fix_id: 'F-41393r653846_fix '\n tag cci: ['CCI-000195']\n tag nist: ['IA-5 (1) (b)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('difok') { should cmp >= '8' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238224.rb", "line": 1 @@ -3202,9 +3340,11 @@ ], "nist": [ "IA-5 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238226' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nspecial character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity or strength is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor in determining how long it takes to crack a password. The more complex the password, the\ngreater the number of possible combinations that need to be tested before the password is\ncompromised.\n\nSpecial characters are those characters that are not alphanumeric.\nExamples include: ~ ! @ # $ % ^ *. \"\n desc 'check', \"Determine if the field \\\"ocredit\\\" is set in the \\\"/etc/security/pwquality.conf\\\" file with the\nfollowing command:\n\n$ grep -i \\\"ocredit\\\" /etc/security/pwquality.conf\nocredit=-1\n\nIf\nthe \\\"ocredit\\\" parameter is greater than \\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce password complexity by requiring that at\nleast one special character be used.\n\nAdd or update the following line in the\n\\\"/etc/security/pwquality.conf\\\" file to include the \\\"ocredit=-1\\\" parameter:\n\n\nocredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000266-GPOS-00101 '\n tag gid: 'V-238226 '\n tag rid: 'SV-238226r653853_rule '\n tag stig_id: 'UBTU-20-010055 '\n tag fix_id: 'F-41395r653852_fix '\n tag cci: ['CCI-001619']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ocredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238226.rb", "line": 1 @@ -3245,9 +3385,11 @@ "AC-8 c 1", "AC-8 c 2", "AC-8 c 3" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", + "code": "control 'SV-238214' do\n title \"The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent\nBanner before granting any local or remote connection to the system. \"\n desc \"Display of a standardized and approved use notification before granting access to the\npublicly accessible operating system ensures privacy and security notification verbiage\nused is consistent with applicable federal laws, Executive Orders, directives, policies,\nregulations, standards, and guidance.\n\nSystem use notifications are required only for\naccess via logon interfaces with human users and are not required when such human interfaces\ndo not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the\nfollowing verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nUse the\nfollowing verbiage for operating systems that have severe limitations on the number of\ncharacters that can be displayed in the banner:\n\n\\\"I've read & consent to terms in IS user\nagreem't.\\\"\n\n \"\n desc 'check', \"Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent\nBanner before granting access to the Ubuntu operating system via an SSH logon with the\nfollowing command:\n\n$ grep -ir banner /etc/ssh/sshd_config*\n\n\n/etc/ssh/sshd_config:Banner /etc/issue.net\n\nThe command will return the banner option\nalong with the name of the file that contains the SSH banner. If the line is commented out, this\nis a finding.\n\nIf conflicting results are returned, this is a finding.\n\nVerify the\nspecified banner file matches the Standard Mandatory DoD Notice and Consent Banner exactly:\n\n\n$ cat /etc/issue.net\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS)\nthat is provided for USG-authorized use only.\n\nBy using this IS (which includes any device\nattached to this IS), you consent to the following conditions:\n\n-The USG routinely\nintercepts and monitors communications on this IS for purposes including, but not limited\nto, penetration testing, COMSEC monitoring, network operations and defense, personnel\nmisconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using,\nor data stored on, this IS are not private, are subject to routine monitoring, interception,\nand search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes\nsecurity measures (e.g., authentication and access controls) to protect USG\ninterests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using\nthis IS does not constitute consent to PM, LE or CI investigative searching or monitoring of\nthe content of privileged communications, or work product, related to personal\nrepresentation or services by attorneys, psychotherapists, or clergy, and their\nassistants. Such communications and work product are private and confidential. See User\nAgreement for details.\\\"\n\nIf the banner text does not match the Standard Mandatory DoD Notice\nand Consent Banner exactly, this is a finding. \"\n desc 'fix', \"Set the parameter Banner in \\\"/etc/ssh/sshd_config\\\" to point to the \\\"/etc/issue.net\\\" file:\n\n\n$ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config\n$ sudo sed -i '$aBanner /etc/issue.net'\n/etc/ssh/sshd_config\n\nEither create the file containing the banner or replace the text in\nthe file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:\n\n\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for\nUSG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS),\nyou consent to the following conditions:\n\n-The USG routinely intercepts and monitors\ncommunications on this IS for purposes including, but not limited to, penetration testing,\nCOMSEC monitoring, network operations and defense, personnel misconduct (PM), law\nenforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may\ninspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS\nare not private, are subject to routine monitoring, interception, and search, and may be\ndisclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures\n(e.g., authentication and access controls) to protect USG interests--not for your personal\nbenefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent\nto PM, LE or CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services by\nattorneys, psychotherapists, or clergy, and their assistants. Such communications and\nwork product are private and confidential. See User Agreement for details.\\\"\n\nRestart the\nSSH daemon for the changes to take effect and then signal the SSH server to reload the\nconfiguration file:\n\n$ sudo systemctl -s SIGHUP kill sshd \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000228-GPOS-00088 '\n tag satisfies: %w(SRG-OS-000228-GPOS-00088 SRG-OS-000023-GPOS-00006)\n tag gid: 'V-238214 '\n tag rid: 'SV-238214r858525_rule '\n tag stig_id: 'UBTU-20-010038 '\n tag fix_id: 'F-41383r653816_fix '\n tag cci: %w(CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388)\n tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']\n tag 'host', 'container'\n\n if !service('sshd').enabled? or !package('sshd-server').installed? or virtualization.system.eql?('docker')\n impact 0.0\n describe 'This control is Not Applicable' do\n if virtualization.system.eql?('docker')\n skip 'This control is Not Applicable in a container and/or the SSHD server is not enabled'\n else\n skip 'This control is Not Applicable since the SSHD server is not enabled and/or installed'\n end\n end\n else\n banner_text = input('banner_text')\n banner_files = [sshd_config.banner].flatten\n\n banner_files.each do |banner_file|\n if banner_file.nil?\n describe 'The SSHD Banner is not set' do\n subject { banner_file.nil? }\n it { should be false }\n end\n end\n if !banner_file.nil? && !banner_file.match(/none/i).nil?\n describe 'The SSHD Banner is disabled' do\n subject { banner_file.match(/none/i).nil? }\n it { should be true }\n end\n end\n if !banner_file.nil? && banner_file.match(/none/i).nil? && !file(banner_file).exist?\n describe 'The SSHD Banner is set, but, the file does not exist' do\n subject { file(banner_file).exist? }\n it { should be true }\n end\n end\n next unless !banner_file.nil? && banner_file.match(/none/i).nil? && file(banner_file).exist?\n\n describe 'The SSHD Banner is set to the standard banner and has the correct text' do\n clean_banner = banner_text.gsub(/[\\r\\n\\s]/, '')\n subject { file(banner_file).content.gsub(/[\\r\\n\\s]/, '') }\n it { should cmp clean_banner }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238214.rb", "line": 1 @@ -3276,9 +3418,10 @@ ], "nist": [ "AU-12 b" - ] + ], + "host": null }, - "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n", + "code": "control 'SV-238249' do\n title \"The Ubuntu operating system must be configured so that audit configuration files are not\nwrite-accessible by unauthorized users. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files have a mode of \\\"0640\\\" or less permissive by using the\nfollowing command:\n\n$ sudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n\n-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56\naudit.rules\n\n-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root\nroot 127 Feb 7 2018 audit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf\n\\\"/etc/audit/audit.rule\\\",\\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nhave a mode more permissive than \\\"0640\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to have a mode of \\\"0640\\\" by using the following command:\n\n$\nsudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238249 '\n tag rid: 'SV-238249r653922_rule '\n tag stig_id: 'UBTU-20-010133 '\n tag fix_id: 'F-41418r653921_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n it { should_not be_more_permissive_than('0640') }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238249.rb", "line": 1 @@ -3322,9 +3465,10 @@ "nist": [ "AC-2 (4)", "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238240' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/shadow. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\nshadow\n\n-w /etc/shadow -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/shadow\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/shadow -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238240 '\n tag rid: 'SV-238240r853418_rule '\n tag stig_id: 'UBTU-20-010102 '\n tag fix_id: 'F-41409r653894_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/shadow'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238240.rb", "line": 1 @@ -3368,9 +3512,10 @@ "nist": [ "AC-2 (4)", "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238242' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/opasswd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep opasswd\n\n-w /etc/security/opasswd -p wa -k usergroup_modification\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/security/opasswd\\\".\n\n\nAdd or update the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w\n/etc/security/opasswd -p wa -k usergroup_modification\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238242 '\n tag rid: 'SV-238242r853420_rule '\n tag stig_id: 'UBTU-20-010104 '\n tag fix_id: 'F-41411r653900_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/security/opasswd'\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238242.rb", "line": 1 @@ -3399,9 +3544,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238294.rb", "line": 1 @@ -3436,9 +3582,10 @@ "nist": [ "AC-6 (8)", "AC-6 (9)" - ] + ], + "host": null }, - "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238304' do\n title \"The Ubuntu operating system must prevent all software from executing at higher privilege\nlevels than users executing the software and the audit system must be configured to audit the\nexecution of privileged functions. \"\n desc \"In certain situations, software applications/programs need to execute with elevated\nprivileges to perform required functions. However, if the privileges required for\nexecution are at a higher level than the privileges assigned to organizational users\ninvoking such applications/programs, those users are indirectly provided with greater\nprivileges than assigned by the organizations.\n\nSome programs and processes are required\nto operate at a higher privilege level and therefore should be excluded from the\norganization-defined software list after review.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits the execution of privilege functions by auditing\nthe \\\"execve\\\" system call.\n\nCheck the currently configured audit rules with the following\ncommand:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C\nuid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F\negid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F\nkey=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\n\nIf the command does not return lines that match the example or the lines are commented out,\nthis is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit specific output\nlines from the commands are required.\n- The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of all privileged functions.\n\n\nAdd or update the following rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a\nalways,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F\narch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S\nexecve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C\ngid!=egid -F egid=0 -F key=execpriv\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000326-GPOS-00126 '\n tag satisfies: %w(SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127)\n tag gid: 'V-238304 '\n tag rid: 'SV-238304r853422_rule '\n tag stig_id: 'UBTU-20-010211 '\n tag fix_id: 'F-41473r654086_fix '\n tag cci: %w(CCI-002233 CCI-002234)\n tag nist: ['AC-6 (8)', 'AC-6 (9)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('execve').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('execve').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238304.rb", "line": 1 @@ -3467,9 +3614,11 @@ ], "nist": [ "IA-5 (1) (f)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n", + "code": "control 'SV-238361' do\n title \"The Ubuntu operating system must allow the use of a temporary password for system logons with\nan immediate change to a permanent password. \"\n desc \"Without providing this capability, an account may be created without a password.\nNon-repudiation cannot be guaranteed once an account is created if a user is not forced to\nchange the temporary password upon initial logon.\n\nTemporary passwords are typically used\nto allow access when new accounts are created or passwords are changed. It is common practice\nfor administrators to create temporary passwords for user accounts which allow the users to\nlog on, yet force them to change the password once they have successfully authenticated. \"\n desc 'check', \"Verify a policy exists that ensures when a user account is created, it is created using a method\nthat forces a user to change their password upon their next login.\n\nIf a policy does not exist,\nthis is a finding. \"\n desc 'fix', \"Create a policy that ensures when a user is created, it is created using a method that forces a\nuser to change their password upon their next login.\n\nBelow are two examples of how to create a\nuser account that requires the user to change their password upon their next login.\n\n$ sudo\nchage -d 0 [UserName]\n\nor\n\n$ sudo passwd -e [UserName] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000380-GPOS-00165 '\n tag gid: 'V-238361 '\n tag rid: 'SV-238361r853436_rule '\n tag stig_id: 'UBTU-20-010440 '\n tag fix_id: 'F-41530r654257_fix '\n tag cci: ['CCI-002041']\n tag nist: ['IA-5 (1) (f)']\n tag 'host', 'container'\n\n describe 'Manual verification required' do\n skip 'Manually verify if a policy exists to ensure that a method exists to force temporary\n users to change their password upon next login'\n end\nend\n", "source_location": { "ref": "./controls/SV-238361.rb", "line": 1 @@ -3498,9 +3647,11 @@ ], "nist": [ "SI-2 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n", + "code": "control 'SV-238370' do\n title \"The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all\nsoftware components after updated versions have been installed. \"\n desc \"Previous versions of software components that are not removed from the information system\nafter updates have been installed may be exploited by adversaries. Some information\ntechnology products may remove older versions of software automatically from the\ninformation system. \"\n desc 'check', \"Verify is configured to remove all software components after updated versions have been\ninstalled with the following command:\n\n$ grep -i remove-unused\n/etc/apt/apt.conf.d/50unattended-upgrades\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\";\n\nIf the\n\\\"::Remove-Unused-Dependencies\\\" and \\\"::Remove-Unused-Kernel-Packages\\\" parameters are\nnot set to \\\"true\\\" or are missing or commented out, this is a finding. \"\n desc 'fix', \"Configure APT to remove all software components after updated versions have been installed.\n\n\nAdd or updated the following options to the\n\\\"/etc/apt/apt.conf.d/50unattended-upgrades\\\" file:\n\n\nUnattended-Upgrade::Remove-Unused-Dependencies \\\"true\\\";\n\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \\\"true\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000437-GPOS-00194 '\n tag gid: 'V-238370 '\n tag rid: 'SV-238370r853447_rule '\n tag stig_id: 'UBTU-20-010449 '\n tag fix_id: 'F-41539r654284_fix '\n tag cci: ['CCI-002617']\n tag nist: ['SI-2 (6)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n describe command('grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades').stdout.strip do\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Dependencies)\\s*\\\"true\\\"\\s*;$/) }\n it { should match(/^\\s*([^\\s]*::Remove-Unused-Kernel-Packages)\\s*\\\"true\\\"\\s*;$/) }\n end\nend\n", "source_location": { "ref": "./controls/SV-238370.rb", "line": 1 @@ -3533,9 +3684,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238264' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chown, fchown, fchownat, and lchown system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nCheck the\nconfigured audit rules with the following commands:\n\n$ sudo auditctl -l | grep chown\n\n-a\nalways,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k\nperm_chng\n-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000\n-F auid!=-1 -k perm_chng\n\nIf the command does not return audit rules for the \\\"chown\\\",\n\\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" syscalls or the lines are commented out, this is a\nfinding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from the\ncommands are required.\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chown\\\", \\\"fchown\\\", \\\"fchownat\\\", and \\\"lchown\\\" system calls.\n\nAdd or update the following\nrules in the \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F arch=b32 -S\nchown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng\n-a\nalways,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F\nauid!=4294967295 -k perm_chng\n\nNote: For 32-bit architectures, only the 32-bit specific\nentries are required.\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238264 '\n tag rid: 'SV-238264r808477_rule '\n tag stig_id: 'UBTU-20-010148 '\n tag fix_id: 'F-41433r808476_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('chown').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('chown').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238264.rb", "line": 1 @@ -3568,9 +3720,11 @@ ], "nist": [ "IA-11" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", + "code": "control 'SV-238208' do\n title \"The Ubuntu operating system must require users to reauthenticate for privilege escalation\nor when changing roles. \"\n desc \"Without reauthentication, users may access resources or perform tasks for which they do not\nhave authorization.\n\nWhen operating systems provide the capability to escalate a\nfunctional capability, it is critical the user reauthenticate.\n\n \"\n desc 'check', \"Verify the \\\"/etc/sudoers\\\" file has no occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" by\nrunning the following command:\n\n$ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers\n/etc/sudoers.d/*\n\nIf any occurrences of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" return from the\ncommand, this is a finding. \"\n desc 'fix', \"Remove any occurrence of \\\"NOPASSWD\\\" or \\\"!authenticate\\\" found in \\\"/etc/sudoers\\\" file or\nfiles in the \\\"/etc/sudoers.d\\\" directory. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000373-GPOS-00156 '\n tag satisfies: %w(SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157)\n tag gid: 'V-238208 '\n tag rid: 'SV-238208r853405_rule '\n tag stig_id: 'UBTU-20-010014 '\n tag fix_id: 'F-41377r653798_fix '\n tag cci: ['CCI-002038']\n tag nist: ['IA-11']\n tag 'host', 'container'\n\n describe command(\"egrep -r -i '(nopasswd|!authenticate)' /etc/sudoers.d/ /etc/sudoers\") do\n its('stdout.strip') { should be_empty }\n end\nend\n", "source_location": { "ref": "./controls/SV-238208.rb", "line": 1 @@ -3603,9 +3757,10 @@ ], "nist": [ "AU-4 (1)" - ] + ], + "host": null }, - "code": "control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238306' do\n title \"The Ubuntu operating system audit event multiplexor must be configured to off-load audit\nlogs onto a different system or storage media from the system being audited. \"\n desc \"Information stored in one location is vulnerable to accidental or incidental deletion or\nalteration.\n\nOff-loading is a common process in information systems with limited audit\nstorage capacity.\n\n \"\n desc 'check', \"Verify the audit event multiplexor is configured to offload audit records to a different\nsystem or storage media from the system being audited.\n\nCheck that audisp-remote plugin is\ninstalled:\n\n$ sudo dpkg -s audispd-plugins\n\nIf status is \\\"not installed\\\", this is a\nfinding.\n\nCheck that the records are being offloaded to a remote server with the following\ncommand:\n\n$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf\n\nactive = yes\n\nIf\n\\\"active\\\" is not set to \\\"yes\\\", or the line is commented out, this is a finding.\n\nCheck that\naudisp-remote plugin is configured to send audit logs to a different system:\n\n$ sudo grep -i\n^remote_server /etc/audisp/audisp-remote.conf\n\nremote_server = 192.168.122.126\n\nIf\nthe \\\"remote_server\\\" parameter is not set, is set with a local address, or is set with an invalid\naddress, this is a finding. \"\n desc 'fix', \"Configure the audit event multiplexor to offload audit records to a different system or\nstorage media from the system being audited.\n\nInstall the audisp-remote plugin:\n\n$ sudo\napt-get install audispd-plugins -y\n\nSet the audisp-remote plugin as active by editing the\n\\\"/etc/audisp/plugins.d/au-remote.conf\\\" file:\n\n$ sudo sed -i -E\n's/active\\\\s*=\\\\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf\n\nSet the\naddress of the remote machine by editing the \\\"/etc/audisp/audisp-remote.conf\\\" file:\n\n$\nsudo sed -i -E 's/(remote_server\\\\s*=).*/\\\\1 <remote addr>/'\n/etc/audisp/audisp-remote.conf\n\nwhere <remote addr> must be substituted by the\naddress of the remote server receiving the audit log.\n\nMake the audit service reload its\nconfiguration files:\n\n$ sudo systemctl restart auditd.service \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000342-GPOS-00133 '\n tag satisfies: %w(SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224)\n tag gid: 'V-238306 '\n tag rid: 'SV-238306r853424_rule '\n tag stig_id: 'UBTU-20-010216 '\n tag fix_id: 'F-41475r654092_fix '\n tag cci: ['CCI-001851']\n tag nist: ['AU-4 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('audispremote_config_file')\n config_file_exists = file(config_file).exist?\n audit_sp_remote_server = input('audit_sp_remote_server')\n\n describe package('audispd-plugins') do\n it { should be_installed }\n end\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('active') { should cmp 'yes' }\n its('remote_server') { should cmp audit_sp_remote_server }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238306.rb", "line": 1 @@ -3634,9 +3789,10 @@ ], "nist": [ "IA-5 (13)" - ] + ], + "host": null }, - "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238362.rb", "line": 1 @@ -3665,9 +3821,10 @@ ], "nist": [ "AU-5 a" - ] + ], + "host": null }, - "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n", + "code": "control 'SV-238243' do\n title \"The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit\nprocessing failure. \"\n desc \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be\nadversely affected.\n\nAudit processing failures include software/hardware errors,\nfailures in the audit capturing mechanisms, and audit storage capacity being reached or\nexceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct\ninformation system component where audit records are stored), the centralized audit\nstorage capacity of organizations (i.e., all audit data storage repositories combined), or\nboth. \"\n desc 'check', \"Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing\nfailure with the following command:\n\n$ sudo grep '^action_mail_acct = root'\n/etc/audit/auditd.conf\n\naction_mail_acct = <administrator_account>\n\nIf the\nvalue of the \\\"action_mail_acct\\\" keyword is not set to an accounts for security personnel, the\n\\\"action_mail_acct\\\" keyword is missing, or the returned line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure \\\"auditd\\\" service to notify the SA and ISSO in the event of an audit processing\nfailure.\n\nEdit the following line in \\\"/etc/audit/auditd.conf\\\" to ensure administrators\nare notified via email for those situations:\n\naction_mail_acct =\n<administrator_account>\n\nNote: Change \\\"administrator_account\\\" to an account for\nsecurity personnel.\n\nRestart the \\\"auditd\\\" service so the changes take effect:\n\n$ sudo\nsystemctl restart auditd.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000046-GPOS-00022 '\n tag gid: 'V-238243 '\n tag rid: 'SV-238243r653904_rule '\n tag stig_id: 'UBTU-20-010117 '\n tag fix_id: 'F-41412r653903_fix '\n tag cci: ['CCI-000139']\n tag nist: ['AU-5 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n action_mail_acct = auditd_conf.action_mail_acct\n security_accounts = input('action_mail_acct')\n\n describe 'System Administrator (SA) and Information System Security Officer (ISSO) are notified in the event of an audit processing failure' do\n subject { security_accounts }\n it { should cmp action_mail_acct }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238243.rb", "line": 1 @@ -3696,9 +3853,10 @@ ], "nist": [ "AU-12 b" - ] + ], + "host": null }, - "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238251' do\n title \"The Ubuntu operating system must permit only authorized groups to own the audit\nconfiguration files. \"\n desc \"Without the capability to restrict which roles and individuals can select which events are\naudited, unauthorized personnel may be able to prevent the auditing of critical events.\n\n\nMisconfigured audits may degrade the system's performance by overwhelming the audit log.\nMisconfigured audits may also make it more difficult to establish, correlate, and\ninvestigate the events relating to an incident or identify those responsible for one. \"\n desc 'check', \"Verify that \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files are owned by root group by using the following command:\n\n$\nsudo ls -al /etc/audit/ /etc/audit/rules.d/\n\n/etc/audit/:\n\n-rw-r----- 1 root root 804\nNov 25 11:01 auditd.conf\n\n-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules\n\n-rw-r-----\n1 root root 9373 Dec 27 09:56 audit.rules.prev\n\n-rw-r----- 1 root root 127 Feb 7 2018\naudit-stop.rules\n\ndrwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d\n\n\n/etc/audit/rules.d/:\n\n-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules\n\nIf the\n\\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", or \\\"/etc/audit/auditd.conf\\\" file\nis owned by a group other than \\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure \\\"/etc/audit/audit.rules\\\", \\\"/etc/audit/rules.d/*\\\", and\n\\\"/etc/audit/auditd.conf\\\" files to be owned by root group by using the following command:\n\n$\nsudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000063-GPOS-00032 '\n tag gid: 'V-238251 '\n tag rid: 'SV-238251r653928_rule '\n tag stig_id: 'UBTU-20-010135 '\n tag fix_id: 'F-41420r653927_fix '\n tag cci: ['CCI-000171']\n tag nist: ['AU-12 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n files1 = command('find /etc/audit/ -type f \\( -iname \\*.rules -o -iname \\*.conf \\)').stdout.strip.split(\"\\n\").entries\n files2 = command('find /etc/audit/rules.d/* -type f').stdout.strip.split(\"\\n\").entries\n\n audit_conf_files = files1 + files2\n\n audit_conf_files.each do |conf|\n describe file(conf) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238251.rb", "line": 1 @@ -3727,9 +3885,10 @@ ], "nist": [ "IA-2 (12)" - ] + ], + "host": null }, - "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238232.rb", "line": 1 @@ -3761,9 +3920,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238297' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the delete_module syscall. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"delete_module\\\" syscall.\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep -w\ndelete_module\n\n-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1\n-k module_chng\n-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k\nmodule_chng\n\nIf the command does not return a line that matches the example or the line is\ncommented out, this is a finding.\n\nNotes:\n- For 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\n- The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"delete_module\\\" syscall.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S delete_module -F\nauid>=1000 -F auid!=4294967295 -k module_chng\n-a always,exit -F arch=b64 -S\ndelete_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n\nNotes: For 32-bit\narchitectures, only the 32-bit specific entries are required.\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: ['SRG-OS-000477-GPOS-00222']\n tag gid: 'V-238297 '\n tag rid: 'SV-238297r802387_rule '\n tag stig_id: 'UBTU-20-010181 '\n tag fix_id: 'F-41466r654065_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('delete_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('delete_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238297.rb", "line": 1 @@ -3796,9 +3956,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238295' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \\\"init_module\\\" and \\\"finit_module\\\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"init_module\\\" and \\\"finit_module\\\" syscalls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000471-GPOS-00216)\n tag gid: 'V-238295 '\n tag rid: 'SV-238295r808486_rule '\n tag stig_id: 'UBTU-20-010179 '\n tag fix_id: 'F-41464r808485_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('init_module').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('init_module').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238295.rb", "line": 1 @@ -3827,9 +3988,10 @@ ], "nist": [ "SI-16" - ] + ], + "host": null }, - "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", + "code": "control 'SV-238368' do\n title \"The Ubuntu operating system must implement non-executable data to protect its memory from\nunauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the NX (no-execution) bit flag is set on the system with the following commands:\n\n$\ndmesg | grep -i \\\"execute disable\\\"\n[ 0.000000] NX (Execute Disable) protection: active\n\nIf\n\\\"dmesg\\\" does not show \\\"NX (Execute Disable) protection: active\\\", check the cpuinfo settings\nwith the following command:\n\n$ grep flags /proc/cpuinfo | grep -w nx | sort -u\nflags : fpu vme\nde pse tsc ms nx rdtscp lm constant_tsc\n\nIf \\\"flags\\\" does not contain the \\\"nx\\\" flag, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enable NX.\n\nIf \\\"nx\\\" is not showing up in\n\\\"/proc/cpuinfo\\\", and the system's BIOS setup configuration permits toggling the No\nExecution bit, set it to \\\"enable\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00192 '\n tag gid: 'V-238368 '\n tag rid: 'SV-238368r853445_rule '\n tag stig_id: 'UBTU-20-010447 '\n tag fix_id: 'F-41537r654278_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*:\\s*(.*?)\\s*$/,\n }\n describe.one do\n describe command('dmesg | grep NX').stdout.strip do\n it { should match(/.+(NX \\(Execute Disable\\) protection: active)/) }\n end\n describe parse_config_file('/proc/cpuinfo', options).flags.split(' ') do\n it { should include 'nx' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238368.rb", "line": 1 @@ -3858,9 +4020,11 @@ ], "nist": [ "SC-5 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", + "code": "control 'SV-238367' do\n title \"The Ubuntu operating system must configure the uncomplicated firewall to rate-limit\nimpacted network interfaces. \"\n desc \"Denial of service (DoS) is a condition when a resource is not available for legitimate users.\nWhen this occurs, the organization either cannot accomplish its mission or must operate at\ndegraded capacity.\n\nThis requirement addresses the configuration of the operating system\nto mitigate the impact of DoS attacks that have occurred or are ongoing on system\navailability. For each system, known and potential DoS attacks must be identified and\nsolutions for each type implemented. A variety of technologies exist to limit or, in some\ncases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing\nmemory partitions). Employing increased capacity and bandwidth, combined with service\nredundancy, may reduce the susceptibility to some DoS attacks. \"\n desc 'check', \"Verify an application firewall is configured to rate limit any connection to the system.\n\n\nCheck all the services listening to the ports with the following command:\n\n$ sudo ss -l46ut\n\n\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process\ntcp LISTEN 0 128\n[::]:ssh [::]:*\n\nFor each entry, verify that the Uncomplicated Firewall is configured to\nrate limit the service ports with the following command:\n\n$ sudo ufw status\n\nStatus: active\n\n\nTo Action From\n-- ------ ----\n22/tcp LIMIT Anywhere\n22/tcp (v6) LIMIT Anywhere (v6)\n\nIf\nany port with a state of \\\"LISTEN\\\" is not marked with the \\\"LIMIT\\\" action, this is a finding. \"\n desc 'fix', \"Configure the application firewall to protect against or limit the effects of DoS attacks by\nensuring the Ubuntu operating system is implementing rate-limiting measures on impacted\nnetwork interfaces.\n\nCheck all the services listening to the ports with the following\ncommand:\n\n$ sudo ss -l46ut\n\nNetid State Recv-Q Send-Q Local Address:Port Peer\nAddress:Port Process\ntcp LISTEN 0 128 [::]:ssh [::]:*\n\nFor each service with a port\nlistening to connections, run the following command, replacing \\\"[service]\\\" with the\nservice that needs to be rate limited.\n\n$ sudo ufw limit [service]\n\nRate-limiting can also\nbe done on an interface. An example of adding a rate-limit on the eth0 interface follows:\n\n$\nsudo ufw limit in on eth0 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000420-GPOS-00186 '\n tag gid: 'V-238367 '\n tag rid: 'SV-238367r853444_rule '\n tag stig_id: 'UBTU-20-010446 '\n tag fix_id: 'F-41536r654275_fix '\n tag cci: ['CCI-002385']\n tag nist: ['SC-5 a']\n tag 'host', 'container'\n\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\nend\n", "source_location": { "ref": "./controls/SV-238367.rb", "line": 1 @@ -3889,9 +4053,10 @@ ], "nist": [ "MA-4 c" - ] + ], + "host": null }, - "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-238211' do\n title \"The Ubuntu operating system must use strong authenticators in establishing nonlocal\nmaintenance and diagnostic sessions. \"\n desc \"Nonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\nTypically, strong authentication requires authenticators that are resistant to replay\nattacks and employ multifactor authentication. Strong authenticators include, for\nexample, PKI where certificates are stored on a token protected by a password, passphrase, or\nbiometric. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to use strong authenticators in the\nestablishment of nonlocal maintenance and diagnostic maintenance.\n\nVerify that \\\"UsePAM\\\"\nis set to \\\"yes\\\" in \\\"/etc/ssh/sshd_config:\n\n$ grep -r ^UsePAM\n/etc/ssh/sshd_config*\n\nUsePAM yes\n\nIf \\\"UsePAM\\\" is not set to \\\"yes\\\", this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use strong authentication when establishing\nnonlocal maintenance and diagnostic sessions.\n\nAdd or modify the following line to\n/etc/ssh/sshd_config:\n\nUsePAM yes \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000125-GPOS-00065 '\n tag gid: 'V-238211 '\n tag rid: 'SV-238211r858519_rule '\n tag stig_id: 'UBTU-20-010035 '\n tag fix_id: 'F-41380r653807_fix '\n tag cci: ['CCI-000877']\n tag nist: ['MA-4 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe sshd_config do\n its('UsePAM') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238211.rb", "line": 1 @@ -3920,9 +4085,10 @@ ], "nist": [ "IA-5 (2) (b) (1)" - ] + ], + "host": null }, - "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238229' do\n title \"The Ubuntu operating system, for PKI-based authentication, must validate certificates by\nconstructing a certification path (which includes status information) to an accepted trust\nanchor. \"\n desc \"Without path validation, an informed trust decision by the relying party cannot be made when\npresented with any certificate not already explicitly trusted.\n\nA trust anchor is an\nauthoritative entity represented via a public key and associated data. It is used in the\ncontext of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen\nthere is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can\nbe, for example, a Certification Authority (CA). A certification path starts with the\nsubject certificate and proceeds through a number of intermediate certificates up to a\ntrusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies\nthat a certification path to an accepted trust anchor is used for certificate validation and\nthat the path includes status information. Path validation is necessary for a relying party\nto make an informed trust decision when presented with any certificate not already\nexplicitly trusted. Status information for certification paths includes certificate\nrevocation lists or online certificate status protocol responses. Validation of the\ncertificate status information is out of scope for this requirement. \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates\nby constructing a certification path to an accepted trust anchor.\n\nDetermine which pkcs11\nmodule is being used via the \\\"use_pkcs11_module\\\" in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\"\nand then ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\" with the following command:\n\n$ sudo grep\nuse_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc\n{/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca\n\ncert_policy =\nca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to \\\"ca\\\" or the line is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to validate\ncertificates by constructing a certification path to an accepted trust anchor.\n\nDetermine\nwhich pkcs11 module is being used via the \\\"use_pkcs11_module\\\" in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" and ensure \\\"ca\\\" is enabled in \\\"cert_policy\\\".\n\nAdd or\nupdate the \\\"cert_policy\\\" to ensure \\\"ca\\\" is enabled:\n\ncert_policy = ca,signature,ocsp_on;\n\n\nIf the system is missing an \\\"/etc/pam_pkcs11/\\\" directory and an\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find an example to copy into place and modify\naccordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000066-GPOS-00034 '\n tag gid: 'V-238229 '\n tag rid: 'SV-238229r653862_rule '\n tag stig_id: 'UBTU-20-010060 '\n tag fix_id: 'F-41398r653861_fix '\n tag cci: ['CCI-000185']\n tag nist: ['IA-5 (2) (b) (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('use_pkcs11_module') { should_not be_nil }\n its('cert_policy') { should include 'ca' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238229.rb", "line": 1 @@ -3957,9 +4123,10 @@ "nist": [ "AU-9 a", "AU-9" - ] + ], + "host": null }, - "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", + "code": "control 'SV-238301' do\n title 'The Ubuntu operating system must configure audit tools to be owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent\nany unauthorized access.\n\nCheck the ownership by running the following command:\n\n$ stat -c\n\\\"%n %U\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport root\n\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not owned by root, this is a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file owner as root using the following command:\n\n$ sudo chown root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238301 '\n tag rid: 'SV-238301r654078_rule '\n tag stig_id: 'UBTU-20-010200 '\n tag fix_id: 'F-41470r654077_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('owner') { should cmp 'root' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238301.rb", "line": 1 @@ -3992,9 +4159,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238258' do\n title \"The Ubuntu operating system must generate audit records for any use of the setxattr,\nfsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\",\n\\\"fremovexattr\\\", and \\\"lremovexattr\\\" system calls.\n\nCheck the currently configured audit\nrules with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F\narch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nIf the command does not return audit rules for the \\\"setxattr\\\", \\\"fsetxattr\\\",\n\\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\" and \\\"lremovexattr\\\" syscalls or the lines are\ncommented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"setxattr\\\", \\\"fsetxattr\\\", \\\"lsetxattr\\\", \\\"removexattr\\\", \\\"fremovexattr\\\", and\n\\\"lremovexattr\\\" system calls.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F\nauid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S\nsetxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k\nperm_mod\n\nNote: For 32-bit architectures, only the 32-bit specific entries are required.\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206)\n tag gid: 'V-238258 '\n tag rid: 'SV-238258r808474_rule '\n tag stig_id: 'UBTU-20-010142 '\n tag fix_id: 'F-41427r808473_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('setxattr').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('setxattr').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238258.rb", "line": 1 @@ -4023,9 +4191,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238284' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the chacl command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"chacl\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo audtctl -l | grep chacl\n\n-a always,exit -F path=/usr/bin/chacl\n-F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"chacl\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/chacl -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238284 '\n tag rid: 'SV-238284r654027_rule '\n tag stig_id: 'UBTU-20-010168 '\n tag fix_id: 'F-41453r654026_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/chacl'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238284.rb", "line": 1 @@ -4054,9 +4223,11 @@ ], "nist": [ "SI-11 a" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n", + "code": "control 'SV-238337' do\n title \"The Ubuntu operating system must generate error messages that provide information\nnecessary for corrective actions without revealing information that could be exploited by\nadversaries. \"\n desc \"Any operating system providing too much information in error messages risks compromising\nthe data and security of the structure, and content of error messages needs to be carefully\nconsidered by the organization.\n\nOrganizations carefully consider the\nstructure/content of error messages. The extent to which information systems are able to\nidentify and handle error conditions is guided by organizational policy and operational\nrequirements. Information that could be exploited by adversaries includes, for example,\nerroneous logon attempts with passwords entered by mistake as the username,\nmission/business information that can be derived from (if not stated explicitly by)\ninformation recorded, and personal information, such as account numbers, social security\nnumbers, and credit card numbers. \"\n desc 'check', \"Verify the Ubuntu operating system has all system log files under the \\\"/var/log\\\" directory\nwith a permission set to 640 or less permissive by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec stat -c \\\"%n %a\\\" {} \\\\;\n\nIf the command displays any output,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to set permissions of all log files under the\n\\\"/var/log\\\" directory to 640 or more restricted by using the following command:\n\n$ sudo find\n/var/log -perm /137 -type f -exec chmod 640 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000205-GPOS-00083 '\n tag gid: 'V-238337 '\n tag rid: 'SV-238337r654186_rule '\n tag stig_id: 'UBTU-20-010416 '\n tag fix_id: 'F-41506r654185_fix '\n tag cci: ['CCI-001312']\n tag nist: ['SI-11 a']\n tag 'host', 'container'\n\n log_files = command('find /var/log -perm /137 -type f -exec stat -c \"%n %a\" {} \\;').stdout.strip.split(\"\\n\").entries\n\n describe 'Number of log files found with a permission NOT set to 640' do\n subject { log_files }\n its('count') { should eq 0 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238337.rb", "line": 1 @@ -4085,9 +4256,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238288' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the passwd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"passwd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w passwd\n\n-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F\nauid>=1000 -F auid!=-1 -F key=privileged-passwd\n\nIf the command does not return a line\nthat matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"key\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"passwd\\\" command.\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/passwd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238288 '\n tag rid: 'SV-238288r833012_rule '\n tag stig_id: 'UBTU-20-010172 '\n tag fix_id: 'F-41457r832949_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238288.rb", "line": 1 @@ -4116,9 +4288,11 @@ ], "nist": [ "IA-5 (1) (d)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", + "code": "control 'SV-238203' do\n title \"The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction.\nPasswords for new users must have a 60-day maximum password lifetime restriction. \"\n desc \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to\nbe changed periodically. If the operating system does not limit the lifetime of passwords and\nforce users to change their passwords, there is the risk that the operating system passwords\ncould be compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user\naccounts by running the following command:\n\n$ grep -i ^pass_max_days /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \\\"PASS_MAX_DAYS\\\" parameter value is less than \\\"60\\\" or is commented\nout, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime.\n\nAdd\nor modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MAX_DAYS 60 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000076-GPOS-00044 '\n tag gid: 'V-238203 '\n tag rid: 'SV-238203r653784_rule '\n tag stig_id: 'UBTU-20-010008 '\n tag fix_id: 'F-41372r653783_fix '\n tag cci: ['CCI-000199']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MAX_DAYS') { should cmp <= 60 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238203.rb", "line": 1 @@ -4153,9 +4327,10 @@ "nist": [ "AU-12 c", "MA-4 (1) (a)" - ] + ], + "host": null }, - "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238309' do\n title \"The Ubuntu operating system must generate audit records for privileged activities,\nnonlocal maintenance, diagnostic sessions and other system-level access. \"\n desc \"If events associated with nonlocal administrative access or diagnostic sessions are not\nlogged, a major tool for assessing and investigating attacks would not be available.\n\nThis\nrequirement addresses auditing-related issues associated with maintenance tools used\nspecifically for diagnostic and repair actions on organizational information systems.\n\n\nNonlocal maintenance and diagnostic activities are those activities conducted by\nindividuals communicating through a network, either an external network (e.g., the\ninternet) or an internal network. Local maintenance and diagnostic activities are those\nactivities carried out by individuals physically present at the information system or\ninformation system component and not communicating across a network connection.\n\nThis\nrequirement applies to hardware/software diagnostic test equipment or tools. This\nrequirement does not cover hardware/software components that may support information\nsystem maintenance, yet are a part of the system, for example, the software implementing\n\\\"ping,\\\" \\\"ls,\\\" \\\"ipconfig,\\\" or the hardware and software implementing the monitoring port of\nan Ethernet switch.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep sudo.log\n\n-w /var/log/sudo.log -p wa -k\nmaintenance\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit activities performed during nonlocal\nmaintenance and diagnostic sessions.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/sudo.log -p wa -k maintenance\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000392-GPOS-00172 '\n tag satisfies: %w(SRG-OS-000392-GPOS-00172 SRG-OS-000471-GPOS-00215)\n tag gid: 'V-238309 '\n tag rid: 'SV-238309r853427_rule '\n tag stig_id: 'UBTU-20-010244 '\n tag fix_id: 'F-41478r654101_fix '\n tag cci: %w(CCI-000172 CCI-002884)\n tag nist: ['AU-12 c', 'MA-4 (1) (a)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/sudo.log'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238309.rb", "line": 1 @@ -4184,9 +4359,10 @@ ], "nist": [ "AU-5 (1)" - ] + ], + "host": null }, - "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238307' do\n title \"The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when\nallocated audit record storage volume reaches 75% of the repository maximum audit record\nstorage capacity. \"\n desc \"If security personnel are not notified immediately when storage volume reaches 75%\nutilization, they are unable to plan for audit record storage capacity expansion. \"\n desc 'check', \"Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated\naudit record storage volume reaches 75% of the repository maximum audit record storage\ncapacity with the following command:\n\n$ sudo grep ^space_left_action\n/etc/audit/auditd.conf\n\nspace_left_action email\n\n$ sudo grep ^space_left\n/etc/audit/auditd.conf\n\nspace_left 250000\n\nIf the \\\"space_left\\\" parameter is missing,\nset to blanks, or set to a value less than 25% of the space free in the allocated audit record\nstorage, this is a finding.\n\nIf the \\\"space_left_action\\\" parameter is missing or set to\nblanks, this is a finding.\n\nIf the \\\"space_left_action\\\" is set to \\\"syslog\\\", the system logs\nthe event but does not generate a notification, and this is a finding.\n\nIf the\n\\\"space_left_action\\\" is set to \\\"exec\\\", the system executes a designated script. If this\nscript informs the SA of the event, this is not a finding.\n\nIf the \\\"space_left_action\\\" is set\nto \\\"email\\\", check the value of the \\\"action_mail_acct\\\" parameter with the following command:\n\n\n$ sudo grep ^action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct\nroot@localhost\n\nThe \\\"action_mail_acct\\\" parameter, if missing, defaults to \\\"root\\\". If the\n\\\"action_mail_acct parameter\\\" is not set to the email address of the SA(s) and/or ISSO, this is\na finding.\n\nNote: If the email address of the System Administrator\n is on a remote system, a\nmail package must be available. \"\n desc 'fix', \"Edit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left_action\\\" parameter to \\\"exec\\\" or\n\\\"email\\\".\n\nIf the \\\"space_left_action\\\" parameter is set to \\\"email\\\", set the\n\\\"action_mail_acct\\\" parameter to an email address for the SA and ISSO.\n\nIf the\n\\\"space_left_action\\\" parameter is set to \\\"exec\\\", ensure the command being executed notifies\nthe SA and ISSO.\n\nEdit \\\"/etc/audit/auditd.conf\\\" and set the \\\"space_left\\\" parameter to be at\nleast 25% of the repository maximum audit record storage capacity. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000343-GPOS-00134 '\n tag gid: 'V-238307 '\n tag rid: 'SV-238307r853425_rule '\n tag stig_id: 'UBTU-20-010217 '\n tag fix_id: 'F-41476r654095_fix '\n tag cci: ['CCI-001855']\n tag nist: ['AU-5 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n\n if log_dir_exists\n email_to_notify = input('action_mail_acct')\n\n partition_threshold_mb = (filesystem(log_file).size_kb / 1024 * 0.25).to_i\n system_alert_configuration_mb = auditd_conf.space_left.to_i\n\n describe 'The space_left configuration' do\n subject { system_alert_configuration_mb }\n it { should >= partition_threshold_mb }\n end\n describe 'The space_left_action configuration' do\n subject { auditd_conf.space_left_action }\n it { should eq 'email' }\n end\n\n describe 'The action_mail_acct configuration' do\n subject { auditd_conf.action_mail_acct }\n it { should eq email_to_notify }\n end\n else\n describe('Audit file/directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238307.rb", "line": 1 @@ -4215,9 +4391,11 @@ ], "nist": [ "IA-4 e" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host', 'container'\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238330.rb", "line": 1 @@ -4246,9 +4424,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", + "code": "control 'SV-238380' do\n title 'The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. '\n desc \"A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the\nsystem. If accidentally pressed, as could happen in the case of a mixed OS environment, this\ncan create the risk of short-term loss of availability of systems due to unintentional\nreboot. \"\n desc 'check', \"Verify the Ubuntu operating system is not configured to reboot the system when\nCtrl-Alt-Delete is pressed.\n\nCheck that the \\\"ctrl-alt-del.target\\\" (otherwise also known\nas reboot.target) is not active with the following command:\n\n$ sudo systemctl status\nctrl-alt-del.target\nctrl-alt-del.target\nLoaded: masked (Reason: Unit\nctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \\\"ctrl-alt-del.target\\\"\nis not masked, this is a finding. \"\n desc 'fix', \"Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the\nfollowing commands:\n\n$ sudo systemctl disable ctrl-alt-del.target\n\n$ sudo systemctl\nmask ctrl-alt-del.target\n\nReload the daemon to take effect:\n\n$ sudo systemctl\ndaemon-reload \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238380 '\n tag rid: 'SV-238380r832974_rule '\n tag stig_id: 'UBTU-20-010460 '\n tag fix_id: 'F-41549r832973_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe service('ctrl-alt-del.target') do\n it { should_not be_running }\n it { should_not be_enabled }\n end\nend\n", "source_location": { "ref": "./controls/SV-238380.rb", "line": 1 @@ -4291,9 +4471,11 @@ "CM-7 (5) (b)", "AC-3 (4)", "AC-6 (10)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'SV-238360' do\n title 'The Ubuntu operating system must be configured to use AppArmor. '\n desc \"Control of program execution is a mechanism used to prevent execution of unauthorized\nprograms. Some operating systems may provide a capability that runs counter to the mission or\nprovides users with functionality that exceeds mission requirements. This includes\nfunctions and services installed at the operating system-level.\n\nSome of the programs,\ninstalled by default, may be harmful or may not be necessary to support essential\norganizational operations (e.g., key missions, functions). Removal of executable\nprograms is not always possible; therefore, establishing a method of preventing program\nexecution is critical to maintaining a secure system baseline.\n\nMethods for complying with\nthis requirement include restricting execution of programs in certain environments, while\npreventing execution in other environments; or limiting execution of certain program\nfunctionality based on organization-defined criteria (e.g., privileges, subnets,\nsandboxed environments, or roles).\n\n \"\n desc 'check', \"Verify the operating system prevents program execution in accordance with local policies.\n\n\nCheck that AppArmor is installed and active by running the following command,\n\n$ dpkg -l |\ngrep apparmor\n\nIf the \\\"apparmor\\\" package is not installed, this is a finding.\n\n$ systemctl\nis-active apparmor.service\n\nactive\n\nIf \\\"active\\\" is not returned, this is a finding.\n\n$\nsystemctl is-enabled apparmor.service\n\nenabled\n\nIf \\\"enabled\\\" is not returned, this is a\nfinding. \"\n desc 'fix', \"Install \\\"AppArmor\\\" (if it is not installed) with the following command:\n\n$ sudo apt-get\ninstall apparmor\n\n$ sudo systemctl enable apparmor.service\n\nStart \\\"apparmor\\\" with the\nfollowing command:\n\n$ sudo systemctl start apparmor.service\n\nNote: AppArmor must have\nproperly configured profiles for applications and home directories. All configurations\nwill be based on the actual system setup and organization and normally are on a per role basis.\nSee the AppArmor documentation for more information on configuring profiles. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000368-GPOS-00154 '\n tag satisfies: %w(SRG-OS-000368-GPOS-00154 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000370-GPOS-00155)\n tag gid: 'V-238360 '\n tag rid: 'SV-238360r853435_rule '\n tag stig_id: 'UBTU-20-010439 '\n tag fix_id: 'F-41529r654254_fix '\n tag cci: %w(CCI-001764 CCI-001774 CCI-002165 CCI-002235)\n tag nist: ['CM-7 (2)', 'CM-7 (5) (b)', 'AC-3 (4)', 'AC-6 (10)']\n tag 'host', 'container'\n\n describe service('apparmor') do\n it { should be_installed }\n it { should be_enabled }\n it { should be_running }\n end\nend\n", "source_location": { "ref": "./controls/SV-238360.rb", "line": 1 @@ -4328,9 +4510,10 @@ "nist": [ "AC-7 a", "AC-7 b" - ] + ], + "host": null }, - "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n", + "code": "control 'SV-238235' do\n title \"The Ubuntu operating system must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts have been made. \"\n desc \"By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by\nlocking the account.\n\n \"\n desc 'check', \"Verify that the Ubuntu operating system utilizes the \\\"pam_faillock\\\" module with the\nfollowing command:\n$ grep faillock /etc/pam.d/common-auth\n\nauth [default=die]\npam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n\nIf the\npam_faillock.so module is not present in the \\\"/etc/pam.d/common-auth\\\" file, this is a\nfinding.\n\nVerify the pam_faillock module is configured to use the following options:\n$\nsudo egrep 'silent|audit|deny|fail_interval| unlock_time'\n/etc/security/faillock.conf\n\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time =\n0\n\nIf the \\\"silent\\\" keyword is missing or commented out, this is a finding.\nIf the \\\"audit\\\"\nkeyword is missing or commented out, this is a finding.\nIf the \\\"deny\\\" keyword is missing,\ncommented out, or set to a value greater than 3, this is a finding.\nIf the \\\"fail_interval\\\"\nkeyword is missing, commented out, or set to a value greater than 900, this is a finding.\nIf the\n\\\"unlock_time\\\" keyword is missing, commented out, or not set to 0, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to utilize the \\\"pam_faillock\\\" module.\n\nEdit the\n/etc/pam.d/common-auth file.\n\nAdd the following lines below the \\\"auth\\\" definition for\npam_unix.so:\nauth [default=die] pam_faillock.so authfail\nauth sufficient\npam_faillock.so authsucc\n\nConfigure the \\\"pam_faillock\\\" module to use the following\noptions:\n\nEdit the /etc/security/faillock.conf file and add/update the following\nkeywords and values:\naudit\nsilent\ndeny = 3\nfail_interval = 900\nunlock_time = 0 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000329-GPOS-00128 '\n tag satisfies: %w(SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005)\n tag gid: 'V-238235 '\n tag rid: 'SV-238235r853414_rule '\n tag stig_id: 'UBTU-20-010072 '\n tag fix_id: 'F-41404r802382_fix '\n tag cci: %w(CCI-000044 CCI-002238)\n tag nist: ['AC-7 a', 'AC-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-auth') do\n it { should exist }\n end\n\n describe command('grep pam_tally /etc/pam.d/common-auth') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3($|\\s+.*$)/) }\n its('stdout.strip') { should_not match(/^\\s*auth\\s+required\\s+pam_tally2.so\\s+.*onerr=fail\\s+deny=3\\s+.*unlock_time.*$/) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238235.rb", "line": 1 @@ -4359,9 +4542,10 @@ ], "nist": [ "IA-3" - ] + ], + "host": null }, - "code": "control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n", + "code": "control 'SV-251505' do\n title \"The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB)\nmass storage driver. \"\n desc \"Without authenticating devices, unidentified or unknown devices may be introduced,\nthereby facilitating malicious activity.\n\nPeripherals include, but are not limited to,\nsuch devices as flash drives, external storage, and printers. \"\n desc 'check', \"Verify that Ubuntu operating system disables ability to load the USB storage kernel\nmodule.\n\n# grep usb-storage /etc/modprobe.d/* | grep \\\"/bin/true\\\"\n\ninstall usb-storage\n/bin/true\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding.\n\nVerify the operating system disables the ability to use USB mass storage\ndevice.\n\n# grep usb-storage /etc/modprobe.d/* | grep -i \\\"blacklist\\\"\n\nblacklist\nusb-storage\n\nIf the command does not return any output, or the line is commented out, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable using the USB storage kernel module.\n\n\nCreate a file under \\\"/etc/modprobe.d\\\" to contain the following:\n\n# sudo su -c \\\"echo\ninstall usb-storage /bin/true >> /etc/modprobe.d/DISASTIG.conf\\\"\n\nConfigure the\noperating system to disable the ability to use USB mass storage devices.\n\n# sudo su -c \\\"echo\nblacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf\\\" \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000378-GPOS-00163 '\n tag gid: 'V-251505 '\n tag rid: 'SV-251505r853450_rule '\n tag stig_id: 'UBTU-20-010461 '\n tag fix_id: 'F-54894r808511_fix '\n tag cci: ['CCI-001958']\n tag nist: ['IA-3']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep usb-storage /etc/modprobe.d/* | grep \"/bin/true\"') do\n its('stdout') { should_not be_empty }\n end\n\n describe command('grep usb-storage /etc/modprobe.d/* | grep -i \"blacklist\"') do\n its('stdout') { should_not be_empty }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-251505.rb", "line": 1 @@ -4390,9 +4574,10 @@ ], "nist": [ "AU-14 (1)" - ] + ], + "host": null }, - "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n", + "code": "control 'SV-238299' do\n title 'The Ubuntu operating system must initiate session audits at system start-up. '\n desc \"If auditing is enabled late in the start-up process, the actions of some start-up processes\nmay not be audited. Some audit systems also maintain state information only available if\nauditing is enabled before a given process is created. \"\n desc 'check', \"Verify that the Ubuntu operating system enables auditing at system startup.\n\nVerify that\nthe auditing is enabled in grub with the following command:\n\n$ sudo grep \\\"^\\\\s*linux\\\"\n/boot/grub/grub.cfg\n\nlinux /boot/vmlinuz-5.4.0-31-generic\nroot=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1\nlinux\n/boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro\nrecovery nomodeset audit=1\n\nIf any linux lines do not contain \\\"audit=1\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to produce audit records at system startup.\n\nEdit the\n\\\"/etc/default/grub\\\" file and add \\\"audit=1\\\" to the \\\"GRUB_CMDLINE_LINUX\\\" option.\n\nTo\nupdate the grub config file, run:\n\n$ sudo update-grub \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000254-GPOS-00095 '\n tag gid: 'V-238299 '\n tag rid: 'SV-238299r654072_rule '\n tag stig_id: 'UBTU-20-010198 '\n tag fix_id: 'F-41468r654071_fix '\n tag cci: ['CCI-001464']\n tag nist: ['AU-14 (1)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n grub_entries = command('grep \"^\\s*linux\" /boot/grub/grub.cfg').stdout.strip.split(\"\\n\").entries\n\n grub_entries.each do |entry|\n describe entry do\n it { should include 'audit=1' }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238299.rb", "line": 1 @@ -4421,9 +4606,11 @@ ], "nist": [ "SC-24" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", + "code": "control 'SV-238334' do\n title \"The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state\nif system initialization fails, shutdown fails or aborts fail. \"\n desc \"Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps may consume a considerable amount of disk space and may result in denial of\nservice by exhausting the available space on the target file system partition. \"\n desc 'check', \"Verify that kernel core dumps are disabled unless needed.\n\nCheck if \\\"kdump\\\" service is\nactive with the following command:\n\n$ systemctl is-active kdump.service\ninactive\n\nIf\nthe \\\"kdump\\\" service is active, ask the SA if the use of the service is required and documented\nwith the ISSO.\n\nIf the service is active and is not documented, this is a finding. \"\n desc 'fix', \"If kernel core dumps are not required, disable the \\\"kdump\\\" service with the following\ncommand:\n\n$ sudo systemctl disable kdump.service\n\nIf kernel core dumps are required,\ndocument the need with the ISSO. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000184-GPOS-00078 '\n tag gid: 'V-238334 '\n tag rid: 'SV-238334r654177_rule '\n tag stig_id: 'UBTU-20-010413 '\n tag fix_id: 'F-41503r654176_fix '\n tag cci: ['CCI-001190']\n tag nist: ['SC-24']\n tag 'host', 'container'\n\n is_kdump_required = input('is_kdump_required')\n if is_kdump_required\n describe service('kdump') do\n it { should be_enabled }\n it { should be_installed }\n it { should be_running }\n end\n else\n describe service('kdump') do\n it { should_not be_enabled }\n it { should_not be_installed }\n it { should_not be_running }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238334.rb", "line": 1 @@ -4452,9 +4639,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238254' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the mount command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"mount\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/usr/bin/mount'\n\n-a always,exit -F\npath=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"mount\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/mount -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238254 '\n tag rid: 'SV-238254r653937_rule '\n tag stig_id: 'UBTU-20-010138 '\n tag fix_id: 'F-41423r653936_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/mount'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238254.rb", "line": 1 @@ -4483,9 +4671,10 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null }, - "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n", + "code": "control 'SV-251504' do\n title 'The Ubuntu operating system must not allow accounts configured with blank or null passwords. '\n desc \"If an account has an empty password, anyone could log on and run commands with the privileges of\nthat account. Accounts with empty passwords should never be used in operational\nenvironments. \"\n desc 'check', \"To verify that null passwords cannot be used, run the following command:\n\n$ grep nullok\n/etc/pam.d/common-password\n\nIf this produces any output, it may be possible to log on with\naccounts with empty passwords.\n\nIf null passwords can be used, this is a finding. \"\n desc 'fix', \"If an account is configured for password authentication but does not have an assigned\npassword, it may be possible to log on to the account without authenticating.\n\nRemove any\ninstances of the \\\"nullok\\\" option in \\\"/etc/pam.d/common-password\\\" to prevent logons with\nempty passwords. \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-251504 '\n tag rid: 'SV-251504r832977_rule '\n tag stig_id: 'UBTU-20-010463 '\n tag fix_id: 'F-54893r832976_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep nullok /etc/pam.d/common-password') do\n its('stdout') { should be_empty }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-251504.rb", "line": 1 @@ -4514,9 +4703,11 @@ ], "nist": [ "IA-5 (1) (d)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", + "code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238202.rb", "line": 1 @@ -4545,9 +4736,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238352' do\n title 'The Ubuntu operating system library directories must be group-owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\ngroup-owned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group\nroot -type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system-wide shared library directory is\nreturned, this is a finding. \"\n desc 'fix', \"Configure the system library directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root\n'{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238352 '\n tag rid: 'SV-238352r654231_rule '\n tag stig_id: 'UBTU-20-010431 '\n tag fix_id: 'F-41521r654230_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_directories = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_directories.count > 0\n library_directories.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT group-owned by root' do\n subject { library_directories }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238352.rb", "line": 1 @@ -4581,9 +4774,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238286.rb", "line": 1 @@ -4624,9 +4818,10 @@ "IA-2 (2)", "IA-2 (3)", "IA-2 (4)" - ] + ], + "host": null }, - "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", + "code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238210.rb", "line": 1 @@ -4655,9 +4850,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", + "code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238342.rb", "line": 1 @@ -4686,9 +4883,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238280' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the newgrp command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"newgrp\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep newgrp\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"newgrp\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/newgrp -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue\nthe following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238280 '\n tag rid: 'SV-238280r654015_rule '\n tag stig_id: 'UBTU-20-010164 '\n tag fix_id: 'F-41449r654014_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/newgrp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238280.rb", "line": 1 @@ -4717,9 +4915,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", + "code": "control 'SV-238310' do\n title \"The Ubuntu operating system must generate audit records for any successful/unsuccessful\nuse of unlink, unlinkat, rename, renameat, and rmdir system calls. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible. \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for any\nsuccessful/unsuccessful use of \\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\"\nsystem calls.\n\nCheck the currently configured audit rules with the following command:\n\n$\nsudo auditctl -l | grep 'unlink\\\\|rename\\\\|rmdir'\n\n-a always,exit -F arch=b64 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete\n-a\nalways,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=-1 -F key=delete\n\nIf the command does not return audit rules for the \\\"unlink\\\",\n\\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" syscalls or the lines are commented out, this\nis a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit specific output lines from\nthe commands are required.\nThe \\\"key\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events for any successful/unsuccessful use of\n\\\"unlink\\\", \\\"unlinkat\\\", \\\"rename\\\", \\\"renameat\\\", and \\\"rmdir\\\" system calls.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\narch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F\nauid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S\nunlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete\n\n\nNotes: For 32-bit architectures, only the 32-bit specific entries are required.\n\nTo\nreload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000468-GPOS-00212 '\n tag gid: 'V-238310 '\n tag rid: 'SV-238310r832953_rule '\n tag stig_id: 'UBTU-20-010267 '\n tag fix_id: 'F-41479r832952_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n if os.arch == 'x86_64'\n describe auditd.syscall('unlink').where { arch == 'b64' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\n describe auditd.syscall('unlink').where { arch == 'b32' } do\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238310.rb", "line": 1 @@ -4748,9 +4947,11 @@ ], "nist": [ "AC-3" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n", + "code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host', 'container'\n\n describe grub_conf('/boot/grub/grub.cfg') do\n its('password') { should match '^password_pbkdf2' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238204.rb", "line": 1 @@ -4779,9 +4980,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", + "code": "control 'SV-238219' do\n title \"The Ubuntu operating system must be configured so that remote X connections are disabled,\nunless to fulfill documented and validated mission requirements. \"\n desc \"The security risk of using X11 forwarding is that the client's X11 display server may be\nexposed to attack when the SSH client requests forwarding. A System Administrator may have a\nstance in which they want to protect clients that may expose themselves to attack by\nunwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\n\nX11\nforwarding should be enabled with caution. Users with the ability to bypass file permissions\non the remote host (for the user's X11 authorization database) can access the local X11\ndisplay through the forwarded connection. An attacker may then be able to perform activities\nsuch as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11\nservices are not required for the system's intended function, they should be disabled or\nrestricted as appropriate to the system’s needs. \"\n desc 'check', \"Verify that X11Forwarding is disabled with the following command:\n\n$ grep -ir\nx11forwarding /etc/ssh/sshd_config* | grep -v \\\"^#\\\"\n\nX11Forwarding no\n\nIf the\n\\\"X11Forwarding\\\" keyword is set to \\\"yes\\\" and is not documented with the Information System\nSecurity Officer (ISSO) as an operational requirement or is missing, this is a finding.\nIf\nconflicting results are returned, this is a finding. \"\n desc 'fix', \"Edit the \\\"/etc/ssh/sshd_config\\\" file to uncomment or add the line for the \\\"X11Forwarding\\\"\nkeyword and set its value to \\\"no\\\" (this file may be named differently or be in a different\nlocation if using a version of SSH that is provided by a third-party vendor):\n\nX11Forwarding\nno\n\nRestart the SSH daemon for the changes to take effect:\n\n$ sudo systemctl restart\nsshd.service \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238219 '\n tag rid: 'SV-238219r858533_rule '\n tag stig_id: 'UBTU-20-010048 '\n tag fix_id: 'F-41388r653831_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n describe sshd_config do\n its('X11Forwarding') { should cmp 'no' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238219.rb", "line": 1 @@ -4810,9 +5013,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238257' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-keysign command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-keysign\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep ssh-keysign\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-ssh\n\nIf the command does not return lines that match the example or the lines are\ncommented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary\nidentifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-keysign\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-ssh\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules\n--load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238257 '\n tag rid: 'SV-238257r653946_rule '\n tag stig_id: 'UBTU-20-010141 '\n tag fix_id: 'F-41426r653945_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/lib/openssh/ssh-keysign'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238257.rb", "line": 1 @@ -4841,9 +5045,11 @@ ], "nist": [ "AU-9" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238345' do\n title \"The Ubuntu operating system must have directories that contain system commands owned by\nroot. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nUse the following command for the check:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root\n-type d -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system commands directories are returned, this is\na finding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -user root -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238345 '\n tag rid: 'SV-238345r654210_rule '\n tag stig_id: 'UBTU-20-010424 '\n tag fix_id: 'F-41514r654209_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238345.rb", "line": 1 @@ -4872,9 +5078,11 @@ ], "nist": [ "CM-5 (6)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238376' do\n title 'The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. '\n desc \"If the Ubuntu operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\nUbuntu operating systems with software libraries that are accessible and configurable, as\nin the case of interpreted languages. Software libraries also include privileged programs\nwhich execute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system commands contained in the following directories have mode 0755 or less\npermissive:\n\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\n\nCheck that the system command files have mode 0755 or less permissive with the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec stat -c \\\"%n %a\\\" '{}' \\\\;\n\nIf any files are found to be group-writable or\nworld-writable, this is a finding. \"\n desc 'fix', \"Configure the system commands to be protected from unauthorized access. Run the following\ncommand:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm\n/022 -type f -exec chmod 755 '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238376 '\n tag rid: 'SV-238376r654303_rule '\n tag stig_id: 'UBTU-20-010456 '\n tag fix_id: 'F-41545r654302_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n system_commands = command('find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n else\n describe 'Number of system commands found in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin or /usr/local/sbin, that are less permissive than 0755' do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238376.rb", "line": 1 @@ -4903,9 +5111,11 @@ ], "nist": [ "AC-17 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", + "code": "control 'SV-238324' do\n title 'The Ubuntu operating system must monitor remote access methods. '\n desc \"Remote access services, such as those providing remote access to network devices and\ninformation systems, which lack automated monitoring capabilities, increase risk and make\nremote user access management difficult at best.\n\nRemote access is access to DoD nonpublic\ninformation systems by an authorized user (or an information system) communicating through\nan external, non-organization-controlled network. Remote access methods include, for\nexample, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access\nsessions allows organizations to detect cyber attacks and also ensure ongoing compliance\nwith remote access policies by auditing connection activities of remote access\ncapabilities, such as Remote Desktop Protocol (RDP), on a variety of information system\ncomponents (e.g., servers, workstations, notebook computers, smartphones, and tablets). \"\n desc 'check', \"Verify that the Ubuntu operating system monitors all remote access methods.\n\nCheck that\nremote access methods are being logged by running the following command:\n\n$ grep -E -r\n'^(auth,authpriv\\\\.\\\\*|daemon\\\\.\\\\*)' /etc/rsyslog.*\n\n/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log\n\n/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages\n\nIf \\\"auth.*\\\",\n\\\"authpriv.*\\\", or \\\"daemon.*\\\" are not configured to be logged in at least one of the config\nfiles, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to monitor all remote access methods by adding the\nfollowing lines to the \\\"/etc/rsyslog.d/50-default.conf\\\" file:\n\nauth.*,authpriv.*\n/var/log/secure\ndaemon.* /var/log/messages\n\nFor the changes to take effect, restart the\n\\\"rsyslog\\\" service with the following command:\n\n$ sudo systemctl restart rsyslog.service \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000032-GPOS-00013 '\n tag gid: 'V-238324 '\n tag rid: 'SV-238324r832959_rule '\n tag stig_id: 'UBTU-20-010403 '\n tag fix_id: 'F-41493r832958_fix '\n tag cci: ['CCI-000067']\n tag nist: ['AC-17 (1)']\n tag 'host', 'container'\n\n options = {\n assignment_regex: /^\\s*([^:]*?)\\s*\\t\\s*(.*?)\\s*$/,\n }\n config_file = input('rsyslog_config_file')\n auth_setting = parse_config_file(config_file, options).params['auth,authpriv.*']\n daemon_setting = parse_config_file(config_file, options).params['daemon.notice']\n describe auth_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\n describe daemon_setting do\n it { should_not be_nil }\n it { should_not be_empty }\n end\nend\n", "source_location": { "ref": "./controls/SV-238324.rb", "line": 1 @@ -4934,9 +5144,11 @@ ], "nist": [ "AU-8 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n", + "code": "control 'SV-238308' do\n title \"The Ubuntu operating system must record time stamps for audit records that can be mapped to\nCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT). \"\n desc \"If time stamps are not consistently applied and there is no common time reference, it is\ndifficult to perform forensic analysis.\n\nTime stamps generated by the operating system\ninclude date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a\nmodern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \"\n desc 'check', \"To verify the time zone is configured to use UTC or GMT, run the following command.\n\n$\ntimedatectl status | grep -i \\\"time zone\\\"\nTimezone: UTC (UTC, +0000)\n\nIf \\\"Timezone\\\" is not\nset to UTC or GMT, this is a finding. \"\n desc 'fix', \"To configure the system time zone to use UTC or GMT, run the following command, replacing\n[ZONE] with UTC or GMT:\n\n$ sudo timedatectl set-timezone [ZONE] \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000359-GPOS-00146 '\n tag gid: 'V-238308 '\n tag rid: 'SV-238308r853426_rule '\n tag stig_id: 'UBTU-20-010230 '\n tag fix_id: 'F-41477r654098_fix '\n tag cci: ['CCI-001890']\n tag nist: ['AU-8 b']\n tag 'host', 'container'\n\n time_zone = command('timedatectl status | grep -i \"time zone\"').stdout.strip\n\n describe time_zone do\n it { should match 'UTC' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238308.rb", "line": 1 @@ -4965,9 +5177,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238290' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the gpasswd command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"gpasswd\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w gpasswd\n\n-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-gpasswd\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"gpasswd\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/gpasswd -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238290 '\n tag rid: 'SV-238290r654045_rule '\n tag stig_id: 'UBTU-20-010174 '\n tag fix_id: 'F-41459r654044_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/gpasswd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238290.rb", "line": 1 @@ -4996,9 +5209,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238316' do\n title 'The Ubuntu operating system must generate audit records for the /var/run/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/run/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/run/wtmp'\n\n-w\n/var/run/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/run/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/run/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238316 '\n tag rid: 'SV-238316r654123_rule '\n tag stig_id: 'UBTU-20-010278 '\n tag fix_id: 'F-41485r654122_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/run/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238316.rb", "line": 1 @@ -5027,9 +5241,11 @@ ], "nist": [ "AU-9" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n # CHECK\n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238346' do\n title \"The Ubuntu operating system must have directories that contain system commands group-owned\nby root. \"\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user has in order to make access\ndecisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited\nto, vendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators. \"\n desc 'check', \"Verify the system commands directories are group-owned by root:\n\n/bin\n/sbin\n/usr/bin\n\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\n\nRun the check with the following command:\n\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root\n-type d -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\nIf any system commands directories are returned that are\nnot Set Group ID up on execution (SGID) files and owned by a privileged account, this is a\nfinding. \"\n desc 'fix', \"Configure the system commands directories to be protected from unauthorized access. Run the\nfollowing command:\n\n$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin\n/usr/local/sbin ! -group root -type d -exec chgrp root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000258-GPOS-00099 '\n tag gid: 'V-238346 '\n tag rid: 'SV-238346r654213_rule '\n tag stig_id: 'UBTU-20-010425 '\n tag fix_id: 'F-41515r654212_fix '\n tag cci: ['CCI-001495']\n tag nist: ['AU-9']\n tag 'host', 'container'\n \n system_commands = command('find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d').stdout.strip.split(\"\\n\").entries\n valid_system_commands = Set[]\n\n if system_commands.count > 0\n system_commands.each do |sys_cmd|\n if file(sys_cmd).exist?\n valid_system_commands = valid_system_commands << sys_cmd\n end\n end\n end\n\n if valid_system_commands.count > 0\n valid_system_commands.each do |val_sys_cmd|\n describe file(val_sys_cmd) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe \"Number of directories that contain system commands found in /bin, /sbin, /usr/bin, /usr/sbin,\n /usr/local/bin or /usr/local/sbin, that are NOT group-owned by root\" do\n subject { valid_system_commands }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238346.rb", "line": 1 @@ -5064,9 +5280,11 @@ "nist": [ "AC-11 a", "AC-11 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", + "code": "control 'SV-238200' do\n title \"The Ubuntu operating system must allow users to directly initiate a session lock for all\nconnection types. \"\n desc \"A session lock is a temporary action taken when a user stops work and moves away from the\nimmediate physical vicinity of the information system but does not want to log out because of\nthe temporary nature of the absence.\n\nThe session lock is implemented at the point where\nsession activity can be determined. Rather than be forced to wait for a period of time to expire\nbefore the user session can be locked, the Ubuntu operating systems need to provide users with\nthe ability to manually invoke a session lock so users may secure their session if they need to\ntemporarily vacate the immediate physical vicinity.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the \\\"vlock\\\" package installed by running the\nfollowing command:\n\n$ dpkg -l | grep vlock\n\nIf \\\"vlock\\\" is not installed, this is a finding. \"\n desc 'fix', \"Install the \\\"vlock\\\" package (if it is not already installed) by running the following\ncommand:\n\n$ sudo apt-get install vlock \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000030-GPOS-00011 '\n tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)\n tag gid: 'V-238200 '\n tag rid: 'SV-238200r653775_rule '\n tag stig_id: 'UBTU-20-010005 '\n tag fix_id: 'F-41369r653774_fix '\n tag cci: %w(CCI-000058 CCI-000060)\n tag nist: ['AC-11 a', 'AC-11 (1)']\n tag 'host', 'container'\n\n describe package('vlock') do\n it { should be_installed }\n end\nend\n", "source_location": { "ref": "./controls/SV-238200.rb", "line": 1 @@ -5095,9 +5313,11 @@ ], "nist": [ "CM-6 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238227' do\n title 'The Ubuntu operating system must prevent the use of dictionary words for passwords. '\n desc \"If the Ubuntu operating system allows the user to select passwords based on dictionary words,\nthen this increases the chances of password compromise by increasing the opportunity for\nsuccessful guesses and brute-force attacks. \"\n desc 'check', \"Verify the Ubuntu operating system uses the \\\"cracklib\\\" library to prevent the use of\ndictionary words with the following command:\n\n$ grep dictcheck\n/etc/security/pwquality.conf\n\ndictcheck=1\n\nIf the \\\"dictcheck\\\" parameter is not set to\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent the use of dictionary words for passwords.\n\n\nAdd or update the following line in the \\\"/etc/security/pwquality.conf\\\" file to include the\n\\\"dictcheck=1\\\" parameter:\n\ndictcheck=1 \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000480-GPOS-00225 '\n tag gid: 'V-238227 '\n tag rid: 'SV-238227r653856_rule '\n tag stig_id: 'UBTU-20-010056 '\n tag fix_id: 'F-41396r653855_fix '\n tag cci: ['CCI-000366']\n tag nist: ['CM-6 b']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('dictcheck') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238227.rb", "line": 1 @@ -5126,9 +5346,11 @@ ], "nist": [ "SC-4" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", + "code": "control 'SV-238332' do\n title \"The Ubuntu operating system must set a sticky bit on all public directories to prevent\nunauthorized and unintended information transferred via shared system resources. \"\n desc \"Preventing unauthorized information transfers mitigates the risk of information,\nincluding encrypted representations of information, produced by the actions of prior\nusers/roles (or the actions of processes acting on behalf of prior users/roles) from being\navailable to any current users/roles (or current processes) that obtain access to shared\nsystem resources (e.g., registers, main memory, hard disks) after those resources have been\nreleased back to information systems. The control of information in shared resources is also\ncommonly referred to as object reuse and residual information protection.\n\nThis\nrequirement generally applies to the design of an information technology product, but it can\nalso apply to the configuration of particular information system components that are, or\nuse, such products. This can be verified by acceptance/validation processes in DoD or other\ngovernment agencies.\n\nThere may be shared resources with configurable protections (e.g.,\nfiles in storage) that may be assessed on specific information system components. \"\n desc 'check', \"Verify that all public (world-writeable) directories have the public sticky bit set.\n\nFind\nworld-writable directories that lack the sticky bit by running the following command:\n\n$\nsudo find / -type d -perm -002 ! -perm -1000\n\nIf any world-writable directories are found\nmissing the sticky bit, this is a finding. \"\n desc 'fix', \"Configure all public directories to have the sticky bit set to prevent unauthorized and\nunintended information transferred via shared system resources.\n\nSet the sticky bit on all\npublic directories using the following command, replacing \\\"[Public Directory]\\\" with any\ndirectory path missing the sticky bit:\n\n$ sudo chmod +t [Public Directory] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000138-GPOS-00069 '\n tag gid: 'V-238332 '\n tag rid: 'SV-238332r654171_rule '\n tag stig_id: 'UBTU-20-010411 '\n tag fix_id: 'F-41501r654170_fix '\n tag cci: ['CCI-001090']\n tag nist: ['SC-4']\n tag 'host', 'container'\n\n lines = command('find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null').stdout.strip.split(\"\\n\").entries\n if lines.count > 0\n lines.each do |line|\n dir = line.strip\n describe directory(dir) do\n it { should be_sticky }\n end\n end\n else\n describe 'Sticky bit has been set on all world writable directories' do\n subject { lines }\n its('count') { should eq 0 }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238332.rb", "line": 1 @@ -5157,9 +5379,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n", + "code": "control 'SV-238339' do\n title 'The Ubuntu operating system must configure the /var/log directory to be owned by root. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify the Ubuntu operating system configures the \\\"/var/log\\\" directory to be owned by root\nwith the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log\n/var/log root\n\nIf the\n\\\"/var/log\\\" directory is not owned by root, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have root own the \\\"/var/log\\\" directory by running\nthe following command:\n\n$ sudo chown root /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238339 '\n tag rid: 'SV-238339r654192_rule '\n tag stig_id: 'UBTU-20-010418 '\n tag fix_id: 'F-41508r654191_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('owner') { should cmp 'root' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238339.rb", "line": 1 @@ -5188,9 +5412,11 @@ ], "nist": [ "SC-28 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238365' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\nmodification of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n$\nsudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000404-GPOS-00183 '\n tag gid: 'V-238365 '\n tag rid: 'SV-238365r853442_rule '\n tag stig_id: 'UBTU-20-010444 '\n tag fix_id: 'F-41534r654269_fix '\n tag cci: ['CCI-002475']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { "ref": "./controls/SV-238365.rb", "line": 1 @@ -5219,9 +5445,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238256' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the ssh-agent command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"ssh-agent\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep '/usr/bin/ssh-agent'\n\n-a always,exit -F\npath=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh\n\nIf the\ncommand does not return lines that match the example or the lines are commented out, this is a\nfinding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string\nafter it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"ssh-agent\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/ssh-agent -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh\n\nTo reload the rules file,\nissue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238256 '\n tag rid: 'SV-238256r653943_rule '\n tag stig_id: 'UBTU-20-010140 '\n tag fix_id: 'F-41425r653942_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/ssh-agent'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238256.rb", "line": 1 @@ -5250,9 +5477,11 @@ ], "nist": [ "AC-10" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", + "code": "control 'SV-238323' do\n title \"The Ubuntu operating system must limit the number of concurrent sessions to ten for all\naccounts and/or account types. \"\n desc \"The Ubuntu operating system management includes the ability to control the number of users\nand user sessions that utilize an operating system. Limiting the number of allowed users and\nsessions per user is helpful in reducing the risks related to DoS attacks.\n\nThis requirement\naddresses concurrent sessions for information system accounts and does not address\nconcurrent sessions by single users via multiple system accounts. The maximum number of\nconcurrent sessions should be defined based upon mission needs and the operational\nenvironment for each system. \"\n desc 'check', \"Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all\naccounts and/or account types by running the following command:\n\n$ grep maxlogins\n/etc/security/limits.conf | grep -v '^* hard maxlogins'\n\nThe result must contain the\nfollowing line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not\nset to 10 or less or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all\naccounts and/or account types.\n\nAdd the following line to the top of the\n\\\"/etc/security/limits.conf\\\" file:\n\n* hard maxlogins 10 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000027-GPOS-00008 '\n tag gid: 'V-238323 '\n tag rid: 'SV-238323r654144_rule '\n tag stig_id: 'UBTU-20-010400 '\n tag fix_id: 'F-41492r654143_fix '\n tag cci: ['CCI-000054']\n tag nist: ['AC-10']\n tag 'host', 'container'\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n", "source_location": { "ref": "./controls/SV-238323.rb", "line": 1 @@ -5281,9 +5510,10 @@ ], "nist": [ "CM-7 b" - ] + ], + "host": null }, - "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n", + "code": "control 'SV-238328' do\n title \"The Ubuntu operating system must be configured to prohibit or restrict the use of functions,\nports, protocols, and/or services, as defined in the PPSM CAL and vulnerability\nassessments. \"\n desc \"In order to prevent unauthorized connection of devices, unauthorized transfer of\ninformation, or unauthorized tunneling (i.e., embedding of data types within data types),\norganizations must disable or restrict unused or unnecessary physical and logical\nports/protocols on information systems.\n\nOperating systems are capable of providing a\nwide variety of functions and services. Some of the functions and services provided by\ndefault may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single\ncomponent (e.g., VPN and IPS); however, doing so increases risk over limiting the services\nprovided by any one component.\n\nTo support the requirements and principles of least\nfunctionality, the operating system must support the organizational requirements,\nproviding only essential capabilities and limiting the use of ports, protocols, and/or\nservices to only those required, authorized, and approved to conduct official business or to\naddress authorized quality of life issues. \"\n desc 'check', \"Verify the Ubuntu operating system is configured to prohibit or restrict the use of\nfunctions, ports, protocols, and/or services as defined in the Ports, Protocols, and\nServices Management (PPSM) Category Assignments List (CAL) and vulnerability\nassessments.\n\nCheck the firewall configuration for any unnecessary or prohibited\nfunctions, ports, protocols, and/or services by running the following command:\n\n$ sudo ufw\nshow raw\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt sources destination\nChain INPUT\n(policy ACCEPT 1 packets, 40 bytes)\n pkts bytes target prot opt in out source destination\n\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source\ndestination\n\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in\nout source destination\n\nAsk the System Administrator\n for the site or program PPSM CLSA.\nVerify the services allowed by the firewall match the PPSM CLSA.\n\nIf there are any additional\nports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf\nthere are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a\nfinding. \"\n desc 'fix', \"Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command:\n\n\n$ sudo ufw allow <direction> <port/protocol/service>\n\nwhere the\ndirection is \\\"in\\\" or \\\"out\\\" and the port is the one corresponding to the protocol or service\nallowed.\n\nTo deny access to ports, protocols, or services, use:\n\n$ sudo ufw deny\n<direction> <port/protocol/service> \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000096-GPOS-00050 '\n tag gid: 'V-238328 '\n tag rid: 'SV-238328r654159_rule '\n tag stig_id: 'UBTU-20-010407 '\n tag fix_id: 'F-41497r654158_fix '\n tag cci: ['CCI-000382']\n tag nist: ['CM-7 b']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n ufw_status = command('ufw status').stdout.strip.lines.first\n value = ufw_status.split(':')[1].strip\n\n describe 'UFW status' do\n subject { value }\n it { should cmp 'active' }\n end\n describe 'Status listings for any allowed services, ports, or applications must be documented with the organization' do\n skip 'Status listings checks must be preformed manually'\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238328.rb", "line": 1 @@ -5312,9 +5542,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238278' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the sudoedit command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nattempts to use the \\\"sudoedit\\\" command.\n\nCheck the configured audit rules with the\nfollowing commands:\n\n$ sudo auditctl -l | grep /usr/bin/sudoedit\n\n-a always,exit -F\npath=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd\n\nIf the command\ndoes not return a line that matches the example or the line is commented out, this is a finding.\n\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does\nnot need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \\\"sudoedit\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\":\n\n-a always,exit -F path=/usr/bin/sudoedit -F perm=x\n-F auid>=1000 -F auid!=4294967295 -k priv_cmd\n\nTo reload the rules file, issue the\nfollowing command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238278 '\n tag rid: 'SV-238278r654009_rule '\n tag stig_id: 'UBTU-20-010162 '\n tag fix_id: 'F-41447r654008_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/sudoedit'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238278.rb", "line": 1 @@ -5343,9 +5574,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238252' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the su command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records upon successful/unsuccessful\nattempts to use the \\\"su\\\" command.\n\nCheck the configured audit rules with the following\ncommands:\n\n$ sudo auditctl -l | grep '/bin/su'\n\n-a always,exit -F path=/bin/su -F perm=x -F\nauid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\nIf the command does not\nreturn lines that match the example or the lines are commented out, this is a finding.\n\nNote:\nThe \\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need\nto match the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records when\nsuccessful/unsuccessful attempts to use the \\\"su\\\" command occur.\n\nAdd or update the\nfollowing rules in the \\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change\n\n\nTo reload the rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238252 '\n tag rid: 'SV-238252r653931_rule '\n tag stig_id: 'UBTU-20-010136 '\n tag fix_id: 'F-41421r653930_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/bin/su'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n its('action.uniq') { should eq ['always'] }\n its('list.uniq') { should eq ['exit'] }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238252.rb", "line": 1 @@ -5374,9 +5606,11 @@ ], "nist": [ "SI-16" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n", + "code": "control 'SV-238369' do\n title \"The Ubuntu operating system must implement address space layout randomization to protect\nits memory from unauthorized code execution. \"\n desc \"Some adversaries launch attacks with the intent of executing code in non-executable regions\nof memory or in memory locations that are prohibited. Security safeguards employed to\nprotect memory include, for example, data execution prevention and address space layout\nrandomization. Data execution prevention safeguards can either be hardware-enforced or\nsoftware-enforced with hardware providing the greater strength of mechanism.\n\nExamples\nof attacks are buffer overflow attacks. \"\n desc 'check', \"Verify the Ubuntu operating system implements address space layout randomization (ASLR)\nwith the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\n\nkernel.randomize_va_space = 2\n\nIf nothing is returned, verify the kernel parameter\n\\\"randomize_va_space\\\" is set to \\\"2\\\" with the following command:\n\n$ cat\n/proc/sys/kernel/randomize_va_space\n\n2\n\nIf \\\"kernel.randomize_va_space\\\" is not set to\n\\\"2\\\", this is a finding.\n\nVerify that a saved value of the \\\"kernel.randomize_va_space\\\"\nvariable is not defined.\n\n$ sudo egrep -R \\\"^kernel.randomize_va_space=[^2]\\\"\n/etc/sysctl.conf /etc/sysctl.d\n\nIf this returns a result, this is a finding. \"\n desc 'fix', \"Remove the \\\"kernel.randomize_va_space\\\" entry found in the \\\"/etc/sysctl.conf\\\" file or any\nfile located in the \\\"/etc/sysctl.d/\\\" directory.\n\nAfter the line has been removed, the\nkernel settings from all system configuration files must be reloaded before any of the\nchanges will take effect. Run the following command to reload all of the kernel system\nconfiguration files:\n\n$ sudo sysctl --system \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000433-GPOS-00193 '\n tag gid: 'V-238369 '\n tag rid: 'SV-238369r853446_rule '\n tag stig_id: 'UBTU-20-010448 '\n tag fix_id: 'F-41538r654281_fix '\n tag cci: ['CCI-002824']\n tag nist: ['SI-16']\n tag 'host', 'container'\n\n describe kernel_parameter('kernel.randomize_va_space') do\n its('value') { should cmp 2 }\n end\nend\n", "source_location": { "ref": "./controls/SV-238369.rb", "line": 1 @@ -5405,9 +5639,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238315' do\n title 'The Ubuntu operating system must generate audit records for the /var/log/wtmp file. '\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records showing start and stop times for\nuser access to the system via the \\\"/var/log/wtmp\\\" file.\n\nCheck the currently configured\naudit rules with the following command:\n\n$ sudo auditctl -l | grep '/var/log/wtmp'\n\n-w\n/var/log/wtmp -p wa -k logins\n\nIf the command does not return a line matching the example or\nthe line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate audit events showing start and stop times for user\naccess via the \\\"/var/log/wtmp\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/wtmp -p wa -k logins\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000472-GPOS-00217 '\n tag gid: 'V-238315 '\n tag rid: 'SV-238315r654120_rule '\n tag stig_id: 'UBTU-20-010277 '\n tag fix_id: 'F-41484r654119_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/wtmp'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238315.rb", "line": 1 @@ -5436,9 +5671,11 @@ ], "nist": [ "CM-5 (3)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n", + "code": "control 'SV-238359' do\n title \"The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the\ninstallation of patches, service packs, device drivers, or Ubuntu operating system\ncomponents without verification they have been digitally signed using a certificate that is\nrecognized and approved by the organization. \"\n desc \"Changes to any software components can have significant effects on the overall security of\nthe operating system. This requirement ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device\ndrivers, or operating system components must be signed with a certificate recognized and\napproved by the organization.\n\nVerifying the authenticity of the software prior to\ninstallation validates the integrity of the patch or upgrade received from a vendor. This\nensures the software has not been tampered with and that it has been provided by a trusted\nvendor. Self-signed certificates are disallowed by this requirement. The operating system\nshould not have to verify the software again. This requirement does not mandate DoD\ncertificates for this purpose; however, the certificate used to verify the software must be\nfrom an approved CA. \"\n desc 'check', \"Verify that APT is configured to prevent the installation of patches, service packs, device\ndrivers, or Ubuntu operating system components without verification they have been\ndigitally signed using a certificate that is recognized and approved by the organization.\n\n\nCheck that the \\\"AllowUnauthenticated\\\" variable is not set at all or is set to \\\"false\\\" with the\nfollowing command:\n\n$ grep AllowUnauthenticated /etc/apt/apt.conf.d/*\n\n/etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated \\\"false\\\";\n\n\nIf any of the files returned from the command with \\\"AllowUnauthenticated\\\" are set to \\\"true\\\",\nthis is a finding. \"\n desc 'fix', \"Configure APT to prevent the installation of patches, service packs, device drivers, or\nUbuntu operating system components without verification they have been digitally signed\nusing a certificate that is recognized and approved by the organization.\n\nRemove/update\nany APT configuration files that contain the variable \\\"AllowUnauthenticated\\\" to \\\"false\\\",\nor remove \\\"AllowUnauthenticated\\\" entirely from each file. Below is an example of setting the\n\\\"AllowUnauthenticated\\\" variable to \\\"false\\\":\n\nAPT::Get::AllowUnauthenticated\n\\\"false\\\"; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000366-GPOS-00153 '\n tag gid: 'V-238359 '\n tag rid: 'SV-238359r853434_rule '\n tag stig_id: 'UBTU-20-010438 '\n tag fix_id: 'F-41528r654251_fix '\n tag cci: ['CCI-001749']\n tag nist: ['CM-5 (3)']\n tag 'host', 'container'\n\n describe directory('/etc/apt/apt.conf.d') do\n it { should exist }\n end\n\n apt_allowunauth = command('grep -i allowunauth /etc/apt/apt.conf.d/*').stdout.strip.split(\"\\n\")\n if apt_allowunauth.empty?\n describe 'apt conf files do not contain AllowUnauthenticated' do\n subject { apt_allowunauth.empty? }\n it { should be true }\n end\n else\n apt_allowunauth.each do |line|\n describe \"#{line} contains AllowUnauthenctication\" do\n subject { line }\n it { should_not match(/.*false.*/) }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238359.rb", "line": 1 @@ -5467,9 +5704,11 @@ ], "nist": [ "CM-3 (5)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", + "code": "control 'SV-238358' do\n title \"The Ubuntu operating system must notify designated personnel if baseline configurations\nare changed in an unauthorized manner. The file integrity tool must notify the System\nAdministrator when changes to the baseline configuration or anomalies in the oper \"\n desc \"Unauthorized changes to the baseline configuration could make the system vulnerable to\nvarious attacks or allow unauthorized access to the operating system. Changes to operating\nsystem configurations can have unintended side effects, some of which may be relevant to\nsecurity.\n\nDetecting such changes and providing an automated response can help avoid\nunintended, negative consequences that could ultimately affect the security state of the\noperating system. The operating system's IMO/ISSO and SAs must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item. \"\n desc 'check', \"Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System\nAdministrator\n when anomalies in the operation of any security functions are discovered\nwith the following command:\n\n$ grep SILENTREPORTS /etc/default/aide\n\nSILENTREPORTS=no\n\n\nIf SILENTREPORTS is commented out, this is a finding.\n\nIf SILENTREPORTS is set to \\\"yes\\\",\nthis is a finding.\n\nIf SILENTREPORTS is not set to \\\"no\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to notify designated personnel if baseline\nconfigurations are changed in an unauthorized manner.\n\nModify the \\\"SILENTREPORTS\\\"\nparameter in the \\\"/etc/default/aide\\\" file with a value of \\\"no\\\" if it does not already exist. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000363-GPOS-00150 '\n tag gid: 'V-238358 '\n tag rid: 'SV-238358r853433_rule '\n tag stig_id: 'UBTU-20-010437 '\n tag fix_id: 'F-41527r654248_fix '\n tag cci: ['CCI-001744']\n tag nist: ['CM-3 (5)']\n tag 'host', 'container'\n\n describe file('/etc/default/aide') do\n it { should exist }\n its('content') { should match '^SILENTREPORTS=no$' }\n end\nend\n", "source_location": { "ref": "./controls/SV-238358.rb", "line": 1 @@ -5498,9 +5737,11 @@ ], "nist": [ "SI-11 b" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", + "code": "control 'SV-238343' do\n title \"The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less\npermissive. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file with mode\n0640 or less permissive by running the following command:\n\n$ sudo stat -c \\\"%n %a\\\"\n/var/log/syslog\n\n/var/log/syslog 640\n\nIf a value of \\\"640\\\" or less permissive is not\nreturned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have permissions of 0640 for the \\\"/var/log/syslog\\\"\nfile by running the following command:\n\n$ sudo chmod 0640 /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238343 '\n tag rid: 'SV-238343r654204_rule '\n tag stig_id: 'UBTU-20-010422 '\n tag fix_id: 'F-41512r654203_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n it { should_not be_more_permissive_than('0640') }\n end\nend\n", "source_location": { "ref": "./controls/SV-238343.rb", "line": 1 @@ -5529,9 +5770,11 @@ ], "nist": [ "IA-5 (1) (a)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", + "code": "control 'SV-238221' do\n title \"The Ubuntu operating system must enforce password complexity by requiring that at least one\nupper-case character be used. \"\n desc \"Use of a complex password helps to increase the time and resources required to compromise the\npassword. Password complexity, or strength, is a measure of the effectiveness of a password\nin resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one\nfactor of several that determines how long it takes to crack a password. The more complex the\npassword, the greater the number of possible combinations that need to be tested before the\npassword is compromised. \"\n desc 'check', \"Verify the Ubuntu operating system enforces password complexity by requiring that at least\none upper-case character be used.\n\nDetermine if the field \\\"ucredit\\\" is set in the\n\\\"/etc/security/pwquality.conf\\\" file with the following command:\n\n$ grep -i \\\"ucredit\\\"\n/etc/security/pwquality.conf\nucredit=-1\n\nIf the \\\"ucredit\\\" parameter is greater than\n\\\"-1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Add or update the \\\"/etc/security/pwquality.conf\\\" file to contain the \\\"ucredit\\\" parameter:\n\n\nucredit=-1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000069-GPOS-00037 '\n tag gid: 'V-238221 '\n tag rid: 'SV-238221r653838_rule '\n tag stig_id: 'UBTU-20-010050 '\n tag fix_id: 'F-41390r653837_fix '\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n tag 'host', 'container'\n\n config_file = '/etc/security/pwquality.conf'\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('ucredit') { should cmp '-1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238221.rb", "line": 1 @@ -5566,9 +5809,10 @@ "nist": [ "AU-9 a", "AU-9" - ] + ], + "host": null }, - "code": "control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n", + "code": "control 'SV-238300' do\n title 'The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to have a file permission of\n0755 or less to prevent unauthorized access by running the following command:\n\n$ stat -c \\\"%n\n%a\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd\n/sbin/audispd /sbin/augenrules\n\n/sbin/auditctl 755\n/sbin/aureport 755\n\n/sbin/ausearch 755\n/sbin/autrace 755\n/sbin/auditd 755\n/sbin/audispd 755\n\n/sbin/augenrules 755\n\nIf any of the audit tools have a mode more permissive than 0755, this\nis a finding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the correct permissive mode using the following command:\n\n$ sudo chmod\n0755 [audit_tool]\n\nReplace \\\"[audit_tool]\\\" with the audit tool that does not have the\ncorrect permissions. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238300 '\n tag rid: 'SV-238300r654075_rule '\n tag stig_id: 'UBTU-20-010199 '\n tag fix_id: 'F-41469r654074_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n it { should_not be_more_permissive_than('0755') }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238300.rb", "line": 1 @@ -5597,9 +5841,11 @@ ], "nist": [ "SC-28 (1)" - ] + ], + "host": null, + "container": null }, - "code": "control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", + "code": "control 'SV-238366' do\n title \"Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized\ndisclosure of all information at rest. \"\n desc \"Operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect\nthe integrity of organizational information. The strength of the mechanism is commensurate\nwith the security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full disk\nencryption) or encrypt specific data structures (e.g., files, records, or fields). \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n$sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify that the system partitions\nare all encrypted with the following command:\n\n$ more /etc/crypttab\n\nEvery persistent\ndisk partition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000405-GPOS-00184 '\n tag gid: 'V-238366 '\n tag rid: 'SV-238366r853443_rule '\n tag stig_id: 'UBTU-20-010445 '\n tag fix_id: 'F-41535r654272_fix '\n tag cci: ['CCI-002476']\n tag nist: ['SC-28 (1)']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n", "source_location": { "ref": "./controls/SV-238366.rb", "line": 1 @@ -5628,9 +5874,10 @@ ], "nist": [ "AC-9" - ] + ], + "host": null }, - "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n", + "code": "control 'SV-238373' do\n title \"The Ubuntu operating system must display the date and time of the last successful account\nlogon upon logon. \"\n desc \"Configuration settings are the set of parameters that can be changed in hardware, software,\nor firmware components of the system that affect the security posture and/or functionality\nof the system. Security-related parameters are those parameters impacting the security\nstate of the system, including the parameters required to satisfy other security control\nrequirements. Security-related parameters include, for example: registry settings;\naccount, file, directory permission settings; and settings for functions, ports,\nprotocols, services, and remote connections. \"\n desc 'check', \"Verify users are provided with feedback on when account accesses last occurred.\n\nCheck that\n\\\"pam_lastlog\\\" is used and not silent with the following command:\n\n$ grep pam_lastlog\n/etc/pam.d/login\n\nsession required pam_lastlog.so showfailed\n\nIf \\\"pam_lastlog\\\" is\nmissing from \\\"/etc/pam.d/login\\\" file, is not \\\"required\\\", or the \\\"silent\\\" option is present,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to provide users with feedback on when account\naccesses last occurred by setting the required configuration options in\n\\\"/etc/pam.d/login\\\".\n\nAdd the following line to the top of \\\"/etc/pam.d/login\\\":\n\nsession\nrequired pam_lastlog.so showfailed \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000480-GPOS-00227 '\n tag gid: 'V-238373 '\n tag rid: 'SV-238373r858539_rule '\n tag stig_id: 'UBTU-20-010453 '\n tag fix_id: 'F-41542r654293_fix '\n tag cci: ['CCI-000052']\n tag nist: ['AC-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe command('grep pam_lastlog /etc/pam.d/login') do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should match(/^\\s*session\\s+required\\s+pam_lastlog.so/) }\n its('stdout.strip') { should_not match(/^\\s*session\\s+required\\s+pam_lastlog.so[\\s\\w\\d\\=]+.*silent/) }\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238373.rb", "line": 1 @@ -5659,9 +5906,10 @@ ], "nist": [ "AU-9 a" - ] + ], + "host": null }, - "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238248' do\n title \"The Ubuntu operating system must be configured so that the audit log directory is not\nwrite-accessible by unauthorized users. \"\n desc \"If audit information were to become compromised, then forensic analysis and discovery of the\ntrue source of potentially malicious system activity is impossible to achieve.\n\nTo ensure\nthe veracity of audit information, the operating system must protect audit information from\nunauthorized deletion. This requirement can be achieved through multiple methods, which\nwill depend upon system architecture and design.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit information system activity. \"\n desc 'check', \"Verify that the audit log directory has a mode of \\\"0750\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the directory has a mode of \\\"0750\\\" or less by\nusing the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit /var/log/audit/*\n\n/var/log/audit 750\n/var/log/audit/audit.log 600\n\nIf the audit log directory has a mode\nmore permissive than \\\"0750\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory to have a mode of \\\"0750\\\" or less permissive.\n\nDetermine\nwhere the audit logs are stored with the following command:\n\n$ sudo grep -iw ^log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log directory to have a mode of\n\\\"0750\\\" or less permissive by\n using the following command:\n\n$ sudo chmod -R g-w,o-rwx\n/var/log/audit \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000059-GPOS-00029 '\n tag gid: 'V-238248 '\n tag rid: 'SV-238248r653919_rule '\n tag stig_id: 'UBTU-20-010128 '\n tag fix_id: 'F-41417r653918_fix '\n tag cci: ['CCI-000164']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_dir_exists = !log_file.nil? && !File.dirname(log_file).nil?\n if log_dir_exists\n describe directory(File.dirname(log_file)) do\n it { should_not be_more_permissive_than('0750') }\n end\n else\n describe('Audit directory for file ' + log_file + ' exists') do\n subject { log_dir_exists }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238248.rb", "line": 1 @@ -5690,9 +5938,10 @@ ], "nist": [ "AU-12 c" - ] + ], + "host": null }, - "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", + "code": "control 'SV-238293' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the crontab command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"crontab\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w crontab\n\n-a always,exit -F path=/usr/bin/crontab -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-crontab\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"crontab\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/bin/crontab -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238293 '\n tag rid: 'SV-238293r654054_rule '\n tag stig_id: 'UBTU-20-010177 '\n tag fix_id: 'F-41462r654053_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/bin/crontab'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n", "source_location": { "ref": "./controls/SV-238293.rb", "line": 1 @@ -6871,7 +7120,7 @@ "id": "controls/SV-238293.rb" } ], - "sha256": "acac3e16219107e8b967ca6bff5c8058fea9f946555f96c508e75ae17ea020db", + "sha256": "49a941f616d5230dc51aa96770571b69ffcd137935214a7c433842a558c1c89e", "status_message": "", "status": "loaded", "generator": {